The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive 26-04, requiring Federal Civilian Executive Branch agencies to patch critical exploited vulnerabilities within three days.
CISA's new directive sets an aggressive timeline for addressing actively exploited security flaws across federal systems. Agencies must apply patches to critical vulnerabilities within 72 hours of notification, a significant reduction from standard patching windows.
Binding Operational Directives carry legal force and mandate compliance from all FCEB agencies. The three-day requirement applies specifically to vulnerabilities that meet CISA's criteria for critical severity and evidence of active exploitation in the wild.
The directive reflects growing urgency around federal cybersecurity posture. Agencies that fail to comply face potential escalation and reporting requirements to senior leadership. CISA will monitor compliance through existing federal security frameworks and vulnerability tracking systems.
The 72-hour window acknowledges the operational reality of federal IT environments while emphasizing speed over traditional change management procedures. Agencies must balance rapid patching with system stability and continuity.
CISA maintains a catalog of known exploited vulnerabilities, which serves as the primary reference for determining which flaws trigger the three-day requirement. The agency regularly updates this list based on threat intelligence and incident data.
This directive joins CISA's earlier BOD 22-01, which required agencies to patch critical remote code execution and authentication bypass vulnerabilities within 15 days. The new 26-04 directive tightens that timeline for the most dangerous threats.
Federal agencies must designate patch management coordinators and establish processes for rapid vulnerability assessment, testing, and deployment. IT teams will need to streamline change approval workflows to meet the compressed timeline.
CISA encourages agencies to leverage automated patch management tools and maintain pre-positioned testing environments to accelerate deployment. The directive also permits temporary mitigations for systems requiring extended testing before patching.
Google filed a lawsuit against a suspected Chinese cybercrime operation for using its Gemini AI to generate over 2 million fraudulent text messages. The scam targeted cellphone users with links designed to steal personal information and money.
The French government disclosed a security breach affecting over 73,000 public sector employee accounts on Tchap, its encrypted messaging platform. The incident marks a significant compromise of government communications infrastructure.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding directive requiring all federal agencies to patch an actively exploited vulnerability in Ivanti Sentry within three days.
Congress rejected a three-week extension of Section 702 of the Foreign Intelligence Surveillance Act, allowing the warrantless wiretapping authority to lapse. The House voted 218-198 against reauthorization through July 2nd.