{"data":{"id":"c9c6a46d-cd34-4190-8914-8f3204d7241b","title":"CISA tells agencies to patch smarter, not harder — foreshadowing broader industry practice","summary":"Organizations are struggling to patch vulnerabilities fast enough, with only 26% of actively exploited vulnerabilities fully fixed while attackers have reduced their exploitation time to hours or days. CISA issued Binding Operational Directive 26-04, which tells federal agencies to prioritize patching based on four factors (public exposure, known exploitation, automatable attacks, and post-exploitation impact) rather than just severity scores (CVSS, a 0-10 rating of how severe a vulnerability is), recognizing that AI is accelerating both vulnerability discovery and exploitation. Vulnerabilities meeting three or more of these risk factors must be patched within three days, while lower-risk ones can follow longer timelines.","solution":"CISA's Binding Operational Directive 26-04 introduces a decision framework considering four key factors: whether the vulnerable system is publicly exposed to the internet, whether the vulnerability is listed in the KEV (Known Exploited Vulnerabilities) catalog, whether an attacker can automate exploitation, and how much control an attacker would gain after exploitation. Vulnerabilities exhibiting three or more of these attributes must be patched within three days, while lower-risk vulnerabilities can be addressed on longer timelines or deferred until the next major system upgrade.","labels":["policy","security"],"sourceUrl":"https://www.csoonline.com/article/4183750/cisa-tells-agencies-to-patch-smarter-not-harder-foreshadowing-broader-industry-practice.html","publishedAt":"2026-06-10T20:23:35.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":null,"severity":"info","attackType":[],"issueType":"news","affectedPackages":null,"affectedVendors":[],"affectedVendorsRaw":[],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":null,"disclosureDate":"2026-06-10T20:23:35.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["availability"],"aiComponentTargeted":null,"llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}