The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive 26-04, requiring Federal Civilian Executive Branch agencies to patch critical exploited vulnerabilities within three days.
CISA's new directive sets an aggressive timeline for addressing actively exploited security flaws across federal systems. Agencies must apply patches to critical vulnerabilities within 72 hours of notification, a significant reduction from standard patching windows.
Binding Operational Directives carry legal force and mandate compliance from all FCEB agencies. The three-day requirement applies specifically to vulnerabilities that meet CISA's criteria for critical severity and evidence of active exploitation in the wild.
The directive reflects growing urgency around federal cybersecurity posture. Agencies that fail to comply face potential escalation and reporting requirements to senior leadership. CISA will monitor compliance through existing federal security frameworks and vulnerability tracking systems.
The 72-hour window acknowledges the operational reality of federal IT environments while emphasizing speed over traditional change management procedures. Agencies must balance rapid patching with system stability and continuity.
CISA maintains a catalog of known exploited vulnerabilities, which serves as the primary reference for determining which flaws trigger the three-day requirement. The agency regularly updates this list based on threat intelligence and incident data.
This directive joins CISA's earlier BOD 22-01, which required agencies to patch critical remote code execution and authentication bypass vulnerabilities within 15 days. The new 26-04 directive tightens that timeline for the most dangerous threats.
Federal agencies must designate patch management coordinators and establish processes for rapid vulnerability assessment, testing, and deployment. IT teams will need to streamline change approval workflows to meet the compressed timeline.
CISA encourages agencies to leverage automated patch management tools and maintain pre-positioned testing environments to accelerate deployment. The directive also permits temporary mitigations for systems requiring extended testing before patching.
Security researchers discovered 21 previously unknown vulnerabilities in FFmpeg, the widely-used multimedia framework. The findings raise concerns about the security posture of a project relied upon by millions of applications.
An unnamed British police officer faces criminal investigation for allegedly using artificial intelligence to create evidence in multiple cases. The officer has been removed from frontline duties in what authorities describe as the first known case of its kind in the UK.
A growing market of DIY gadgets in China allows drivers to circumvent Tesla's distracted-driving safeguards. Tiny plastic heads, blinking screens, and celebrity figurines trick the vehicle's camera into thinking the driver is paying attention.
Section 702 of the Foreign Intelligence Surveillance Act expires tonight, but surveillance operations will proceed under a certification that remains valid until March 2027.