BOD 26-04: Risk-based Prioritization is the Latest Mandate to Shake Up Compliance

June 19, 2026
Timothy Amerson

BLUF (Bottom Line Up Front): On June 10, the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 26-04, Prioritizing Security Updates Based on Risk. It revokes BOD 19-02 and BOD 22-01 and replaces them with something federal cybersecurity practitioners have been requesting for over a decade: permission to patch based on actual risk instead of a severity score. This is the most operationally honest vulnerability management policy CISA has ever issued. Whether it survives contact with the audit cycle depends on whether agencies and their Inspectors General (IGs), treat it as a risk framework or quietly turn it back into a checklist.

How Does BOD 26-04 Improve the Flaws in Previous Directives?

For years, federal vulnerability management ran under two parallel directives:.

BOD 19-02 said remediate internet-accessible critical vulnerabilities in 15 days and high vulnerabilities in 30, based on Common Vulnerability Scoring System (CVSS) severity.
BOD 22-01 said to remediate anything on the Known Exploited Vulnerabilities (KEV) catalog by its due date.

Both were improvements over what came before them. Both also shared the same flaw: they treated the vulnerability as the unit of risk, not the asset it lives on.

BOD 26-04 fixes that systemic issue. Every vulnerability on every asset now gets a remediation deadline computed from four decision points drawn from the Stakeholder-Specific Vulnerability Categorization (SSVC) methodology:

Asset Exposure: is the asset reachable by unauthenticated or untrusted entities from public networks?
KEV Status: is the vulnerability on CISA’s KEV catalog, meaning adversaries are actively exploiting it?
Exploit Automation: can an adversary automate every step of exploitation?
Technical Impact: does exploitation yield partial control or total control of the asset?

The worst combinations – publicly exposed, on the KEV, automatable, that yield total control – must be remediated in three calendar days. They also require mandatory forensic triage to determine whether you were already compromised. The lowest-risk combinations – internal, not on the KEV, not automatable – can wait for the next scheduled system upgrade.

How Does CISA Support Risk Quantification?

CISA supplies the KEV, automatable and technical-impact decision points through its Vulnrichment program and where that data is not yet available it defaults the timeline to 60 days (or treats an asset whose exposure is unknown as publicly exposed). The agency owns the fourth: knowing, continuously and accurately, what it has exposed to the internet.

BOD 26-04 – Risk-Based Remediation Timelines

BOD 26-04 - Risk-Based Remediation Timelines

Source: CISA BOD 26-04. Row shading by urgency tier: red = 3-day, amber = 14-day, green = 60-day, gray = fix on upgrade

Read that last sentence again, because it's the entire directive. The agency owns the fourth: knowing, continuously and accurately, what it has exposed to the internet.

Three decision points are handed to you. The one you own, exposure, is a function of your asset inventory. BOD 26-04 is, underneath the patching language, an asset management mandate with deadlines attached.

Why a Former Agency CISO Is Excited

I spent years on the other side of the previous vulnerability management directives, including as Chief Information Security Officer at the Social Security Administration. I have lived the treadmill this directive retires: thousands of CVSS “critical” findings on systems three network segments deep behind an air gap, consuming the same engineering hours as a pre-auth remote code execution flaw on an internet-facing VPN concentrator. We burned scarce people on volume because the policy measured volume. The threat actor never cared about our CVSS backlog. They cared about what they could reach and what they could automate.

Cybersecurity is the art and science of maintaining operations. A patching policy that treats every vulnerability as equally urgent is neither art nor science. It is arithmetic. And adversaries using artificial intelligence (AI) to compress the window between patch release and weaponized exploit do arithmetic quickly. Faster than defenses can keep up when we’re focusing on the wrong things. BOD 26-04 concentrates defensive effort where exploitation is real, reachable and automatable.

Why Move From Compliance-based Telemetry to Risk-based Telemetry?

Compliance-based telemetry is data labeled to answer the auditor’s question: did you scan, did you log, did you patch by the date? It is static, backward-looking, checklist-driven and siloed, a scanner export here, an identity log there, never correlated into a picture of risk.

Risk-based telemetry is the same data labeled to answer the adversary’s question: what can you reach and what do you control if you get there? Every asset carries exposure, environment, criticality and ownership context; every vulnerability carries exploitation evidence, automatability and impact enrichment; and the two are joined continuously, not annually.

Compliance-based telemetry validates that controls exist. Risk-based telemetry validates that controls work.

I made the argument in my graduate capstone on the need to transition from compliance-based telemetry to risk-based telemetry. The industry at large has echoed that sentiment in various ways for quite some time. BOD 26-04 just made it federal policy for good reasons.

Example: When Compliance Doesn’t Ensure Security

Let’s look at a number that should bother everyone: the Government Accountability Office (GAO) rated the information security programs of 15 of 23 civilian agencies as “not effective.” Those same agencies met their compliance requirements. The vast majority of those systems carried an authorization to operate. The 2015 Office of Personnel Management breach happened inside an environment that was, on paper, substantially compliant.

Compliance Doesn’t Guarantee Security: IG Effectiveness Ratings of Civilian Agency Programs

15 of 23 civilian agencies rated “not effective” while meeting compliance requirements — controls existed; controls did not work. (Author’s analysis of GAO-24-106291 data)

We have spent two decades proving that compliance and security are not the same thing and the telemetry we collect is the reason.

Washington has taken notice and is responding across multiple vectors. On May 22, about three weeks before the issuance of BOD 26-04, the Office of Management and Budget (OMB) issued Memorandum M-26-14 rescinding M-21-31. The removal of the 2021 logging mandate said the quiet part out loud: retaining vast quantities of logging data without clear utility proved neither operationally feasible nor cost-effective.

That accumulation of data was compliance-based telemetry in its purest form: hoarding logs to satisfy a retention table rather than to answer questions regarding security effectiveness.

M-26-14 replaces its predecessor with a risk-based, prioritized model built around two operational objectives:

Continuous Event Monitoring (CEM): the real-time detection of anomalous activity
Threat Hunting, Investigation, Response and Forensics (THIRF): the ability to reconstruct and evict an adversary after compromise.

The new memorandum’s maturity model grades agencies on whether logs generate actionable, tuned alerts, not on how many terabytes sit in cold storage.

When taken together, M-26-14 and BOD 26-04 form an undeniable arc: in the span of three weeks, federal policy moved logging from volume to utility and vulnerability management from severity to risk.

The compliance-to-risk pivot is no longer a singular motion. It is the direction of travel and agencies should expect the next mandate to continue this momentum. The government will be asking new questions: not “did you collect it?” but “can you act on it?”

The Direction of Travel: Federal Policy Pivots from Compliance to Risk

Three weeks, two rescissions, one direction: M-26-14 and BOD 26-04 retire the compliance era’s mandates, leaving the FISMA audit regime as the lagging piece.

How Does CTEM Fit Into BOD 26-04?

BOD 26-04 quietly mandates the full loop of Continuous Threat Exposure Management (CTEM). The directive’s required actions map onto the stages of CTEM almost one for one:

Asset tagging is scoping
Continuous identification of externally reachable assets is discovery
The four-factor decision table is prioritization
Grounding the “automatable by adversary” judgment in evidence is validation
The 3/14/60-day remediation clocks with forensic triage are mobilization

While the basis for BOD 26-04 (tagging every asset with agency, sub-agency, environment, exposure status and asset type, including private address space, into the Continuous Diagnostics and Mitigation (CDM) dashboards) may feel like busy-work, it is actually the crucial first step of risk-based telemetry collection. It is also the first phase of CTEM.

It is a federal mandate to re-label the government’s telemetry from compliance context to risk context. CISA even supplies the enrichment half of the equation through its Vulnrichment program, publishing exploitation status, automatability and technical impact for every CVE. The agency’s job is to supply the asset half. When both halves are labeled for risk, the Table 1 deadline computes itself. When either half is still labeled for compliance, somebody is doing it by hand in a spreadsheet and losing.

The Hard Question: How Will the IGs Audit Agencies Under BOD 26-04?

Under the old directives, the IG’s job was straightforward. Pull the scan data, pull the KEV due dates and count the misses. The deadline is binary. It led to clean findings and clear plans of action and milestones and it taught a generation of federal security programs to manage by findings rather than by threat.

BOD 26-04 deliberately breaks that audit model.

There is no longer one deadline per CVE. The deadline is the output of a decision and the timelines are dynamic. Take a system off the internet and the clock relaxes. CISA adds the CVE to the KEV and the clock tightens.

What Does the Annual Federal Information Security Modernization Act (FISMA) Audit Look Like Under BOD 26-04?

Under BOD 26-04, auditors can no longer question a deadline without determining the decision behind it. That means the IG community, working through the Council of the Inspectors General on Integrity and Efficiency (CIGIE) with the Office of Management and Budget (OMB) and CISA, will need to evolve the annual IG FISMA metrics from auditing outcomes to auditing the integrity of the pipeline that produces them:

Inventory and exposure data quality. Is the agency’s “publicly exposed” determination accurate, current and validated by more than one method? Is asset tagging, organization, environment, exposure, asset type, complete in the Continuous Diagnostics and Mitigation (CDM) dashboards, including private address space?
Decision logic. Is the agency ingesting Vulnrichment data and computing timelines correctly, including recomputing when facts change?
Deferral discipline. Are “fix on system upgrade” decisions documented outputs of the decision table or a backlog wearing a risk-based costume?
Response readiness. When the three-day-plus-forensic-triage tier fires, can the agency produce the forensic triage report CISA’s implementation guidance calls for, documenting scoping, evidence preservation, containment, analysis and the escalation decision?

The Time has Come for FISMA to Evolve

GAO has already told OMB, in plain language, that federal information security performance metrics need improvement. We can no longer measure whether controls exist; we need to determine if they work.

BOD 26-04 now puts binding operational policy on the risk-based side of that gap while the statute’s annual auditors remain anchored to control-existence reporting. That misalignment is unsustainable.

It’s time for the annual independent evaluation to evolve. This shift can happen through the IG metrics in the near term and through statutory reform when Congress next takes up FISMA. I expect, in the near future, agencies will be graded on demonstrated risk reduction. That means auditors will test the quality of their risk-based telemetry and the integrity of their prioritization decisions, with compliance evidence generated as a byproduct of those operations rather than as a parallel paperwork exercise. Otherwise we will have built a risk-based operating model and bolted a compliance-based report card onto it and the report card will win. It always does.

How Can Agency Leaders Get Ahead of BOD 26-04?

My advice to agency leaders is simple: do not wait for the updated IG metrics to find out what defensible looks like.

Build the audit trail into the operation now. Every deferral decision, every exposure determination, every mitigation that shifted a timeline, captured, timestamped and traceable to the decision table. If your IG shows up with the old checklist mentality, your best defense is a decision record so complete that the risk-based answer is also the easiest one to audit.

Done right, the same data that drives your remediation drives your audit response. That is the difference between “compliance as a byproduct of good security” and “security as a byproduct of compliance.” And as discussed, only the former of those two options actually works.

Evolving From a Security Operations Center to a Risk Operations Center

There is one more transition worth naming and it deserves more room than this piece can give it: BOD 26-04 may be the forcing function that finally turns the Security Operations Center (SOC) into a Risk Operations Center (ROC).

The SOC most agencies run today is an artifact of the compliance-telemetry era. It is organized around alerts and the research is brutal on what that produces: false-positive rates reported as high as 99% in some environments, analysts drowning in noise and triage queues that measure activity instead of risk. A SOC answers “what happened?”

A ROC answers the question BOD 26-04 actually asks: “what is our exposure right now and what action retires the most risk next?” Same people, same telemetry pipes, but the organizing principle shifts from the alert to the exposure and the output shifts from a closed ticket to a retired risk on a 3-, 14- or 60-day clock. Even M-26-14, forward-leaning as it is, still anchors monitoring to the agency’s highest-level SOC: it modernized the telemetry but kept the institution. The institution is the next thing to modernize and done right, a ROC running agentic AI on the risk loop, with humans holding the mission-critical decisions, becomes permanently audit-ready as a byproduct.

That shift, agentic AI working the risk loop 24×7 while humans stay on the mission, the governance guardrails that keep autonomous action from becoming the threat actor and what a ROC means for the federal workforce, is a transformation in its own right. I will make the full case in a forthcoming piece dedicated to the Risk Operations Center.

From the Security Operations Center to the Risk Operations Center

The institutional shift BOD 26-04 invites: from an alert-organized SOC to an exposure-organized ROC, with agentic AI on the loop and humans on the mission.

The Mentality Shift Is the Mandate

The technical requirements of BOD 26-04 are demanding: continuous exposure identification, machine-readable reporting, automated CDM integration, forensic triage on a three-day fuse. But the harder lift is cultural. For twenty years, federal cybersecurity has been graded on the completeness of its paperwork. This directive grades agencies on the quality of their decisions. Some organizations will find that liberating. Others will find it terrifying, because a checklist protects the institution from judgment and judgment is precisely what BOD 26-04 demands.

Compliance is not the destination. In fact, Operational resilience is the path forward and for the first time, federal vulnerability management policy points directly down that road and insists agencies follow it. The agencies that thrive under this directive will be the ones that adopt risk-based telemetry collection, run the CTEM loop continuously and stop asking “what does the auditor want to see?” Rather, they will continually question what an adversary might be able to reach.

Compliance validates that controls exist. Risk-based telemetry validates that controls work. BOD 26-04 finally demands the latter. As it happens, the agencies that embrace BOD 26-04 will also have the easiest audits.

But the easiest audit is not the reward worth chasing — operational resilience is and the clock to reach it is already running. BOD 26-04 is in effect now. Phase I obligations are counting today; the 60-day process deadline and the 180-day deadline to meet every Table 1 timeline and tag every asset will arrive faster than any procurement cycle. The agencies that wait for the updated Inspector General metrics to define “good” will spend those months reacting. The ones that move now will spend them building.

Ask Your Program Four Questions This Week

Can you prove, today, what is publicly exposed?
Can your platform compute and recompute the Table 1 timelines automatically as exposure and the KEV change?
Is your automated Continuous Diagnostics and Mitigation (CDM) data accurate enough to set the right clock and survive an audit?
If the three-day forensic-triage tier fires tonight, can you execute?

Where any answer is “not yet,” you have found your starting point — and the gap is rarely a missing tool. It is risk-based telemetry that has never been labeled, correlated or trusted.

This is the work we do with federal agencies at GuidePoint Security every day: turning a binding directive into a defensible operating model — assessing exposure, building the Continuous Threat Exposure Management (CTEM) loop and standing up the risk-based telemetry that makes remediation and the audit a byproduct of good security rather than a parallel paper chase. If your team is staring at the 180-day clock and a compliance-era toolset, let’s talk before it runs out. Zero trust was never the destination. Operational resilience is — and BOD 26-04 is the clearest road there the federal government has ever drawn. Let’s walk it.

Federal Chief Information Security Officer (CISO)
GuidePoint Security

Timothy Amerson is currently the Federal Chief Information Security Officer (CISO) at GuidePoint Security. While also serving as the the President of the Board of Directors for The KEY (Keep Elevating Yourself) Community Non-Profit. He brings more than 30+ years of distinguished service in federal cybersecurity leadership. Most recently, he served as the CISO and Associate Commissioner at the Social Security Administration (SSA), where he was recognized as a 2023, 2024 and 2025 Top 100 Information Security Professional; 2024 FedScoop Top 50 Federal Leader Nominee; 2025 CyberScoop Government Leaders, FedScoop Top 50 Federal Leader Nominee and Finalist US Forces in Business Lifetime Achievement Award. At SSA, Mr. Amerson was responsible for enterprise-wide cybersecurity operations including Cybersecurity Risk Management (CSRM), Zero Trust Architecture (ZTA), FISMA compliance metrics, 24×7 Security Operations Center (SOC), Continuous Diagnostics and Mitigation (CDM), Red and Blue Team operations, Vulnerability Management, Insider Threat programs, Cyber Supply Chain Risk Management (C-SCRM) and secure software practices. Under his leadership, SSA’s FISMA scores increased from 70% to 98%, elevating the agency to one of the top performers across all Federal Civilian agencies. Prior to SSA, Mr. Amerson held multiple senior leadership roles at the Department of Veterans Affairs (VA), including Director of Infrastructure Cybersecurity Management, Cybersecurity Product Line Manager and (Detailed) Director of the National Data Center Operations and Logistics program. He was named a 2021 FedScoop “Best Bosses in Federal IT” finalist for his transformational leadership. He began his Federal Civilian IT career on the help desk at the Texas National Guard Joint Force Headquarters and rose through the ranks to become Chief Technology Officer. Mr. Amerson is a decorated Army veteran with 32 years of service, including combat and state-side deployments and has served as Platoon Leader, Commander and Operations Officer. Also served as Deputy of the Computer Emergency Response Team, Deputy of the Defense Cyberspace Operations Element and established the first multi-state Cyber Protection Team (CPT). He participated in and led Red and Blue Team activities during major national cyber exercises, including Cyber Storm (DHS), Cyber Shield (USCYBERCOM) and Cyber Guard (NGB), in partnership with the NSA, FBI, FEMA and ODNI. He has received numerous commendations, including the Legion of Merit, Bronze Star Medal, four Meritorious Service Medals and recognition from several professional associations, including the Silver Order of Thor (Cyber), the Silver Order of Mercury (Signal) and the Bronze Order of Saint George (Cavalry). He holds a Master of Science in Computer Science a Specialization in Cybersecurity (Summa Cum Laude) and a Bachelor of Science in Computer Information Systems, is a graduate of the Army Cyber Center of Excellence and the Command & General Staff College and maintains over 30 certifications, including Certified Information System Security Professional (CISSP), Project Management Professional (PMP), Certified Ethical Hacker (CEH and Hall of Fame), Certified Chief Information Security Officer (aC|CISO), Certified Competency in Zero Trust (CCZT), International Society of Automation (ISA)/International Electrotechnical Commission (IEC) 62443 Cybersecurity Expert and Microsoft Certified Educator (MCE). In his personal time, Mr. Amerson is passionate about cybersecurity, education and outreach. He served as a conference coordinator for the Texas Cyber Summit and DEF CON and mentored students on cybersecurity teams at both the high school and collegiate levels, resulting in numerous national awards, grants and scholarships.