← Learn
Playbook9 min read

The KEV-driven emergency patch window — a CISO decision playbook for BOD 26-04

Short definition

A decision playbook for when a product you run lands on the CISA KEV catalogue: how to assign the right remediation clock under BOD 26-04 and choose between patch, mitigate, or isolate.

Why this matters now

When a product you run lands on the CISA KEV catalogue, "patch everything by CVSS" is no longer the benchmark. On 10 June 2026 CISA issued [BOD 26-04](https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk), revoking BOD 22-01 and replacing the flat two-week KEV deadline with a risk-based model that can demand remediation in **as little as 3 calendar days** — and that federal directive is the de-facto private-sector benchmark your insurer, auditor and regulator will measure you against. Getting the tier wrong cuts both ways: miss the 3-day band on an exploited, internet-facing flaw and you are negligent; treat every KEV entry as a 3-day fire drill and you exhaust the team before the one that matters arrives.

Key points

  • The clock changed in June 2026. [BOD 26-04](https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk) revoked BOD 22-01's flat 14-day KEV rule and replaced it with a **risk-based tier**: 3 days, 14 days, 60 days, or next scheduled upgrade.
  • The tier is decided by a **combination of four signals — public exposure, KEV listing, exploit automation, and total-vs-partial system control — not by the CVSS base score**.
  • **KEV-listed + total system control = 3 calendar days** plus mandatory forensic triage — the tightest band, regardless of whether the asset is internet-exposed.
  • The clock starts when **CISA adds the CVE to [KEV](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) or you discover it on your systems**, whichever is first. Treat every asset as publicly exposed until you can prove it is not.
  • Your three moves are **patch, mitigate, or isolate**. Taking the asset offline removes the exposure signal and *relaxes* the clock — a legitimate tactic when you cannot patch in-window.
  • Do not spend a 3-day emergency window on a CVE that is not actually exploitable in your configuration — **validate real exploitability and reachability before you triage**, or you burn the team on the wrong findings.

Scope and when this playbook fires

Use this playbook the moment any of these is true for a product in your estate:

  • A CVE affecting software or an appliance you run is added to the CISA Known Exploited Vulnerabilities (KEV) catalogue. In June 2026 alone CISA added 23 entries, six of them zero-days — recent examples include CVE-2026-20245 (Cisco Catalyst SD-WAN Manager), CVE-2026-20230 (Cisco Unified Communications Manager SSRF), and three Ubiquiti UniFi OS flaws.
  • A vendor advisory or credible researcher report says a CVE in your stack is being exploited in the wild, even before CISA lists it.
  • Your own scanning or a threat-intel feed shows an actively-exploited vulnerability present on an asset you own.

The playbook answers two questions in order: what clock am I on, and do I patch, mitigate, or isolate. It assumes the vulnerability is real and present; confirming presence is a prerequisite, not part of this playbook.

Not in scope: a routine monthly patch cycle with no exploitation evidence (that is patch management), a CVE that scanning proves is not present in your environment (close it and move on), or a full breach where exploitation of *your* instance is already confirmed — at that point you are in incident response, not emergency patching, and the regulator notification clocks (NIS2 24h, DORA 4h) dominate.

The clock: BOD 26-04 replaced the flat KEV deadline with risk-based tiers

For four years the benchmark was simple: BOD 22-01 gave federal agencies 14 days to remediate any KEV-listed CVE (and six months to clear the initial backlog). Private-sector CISOs, insurers and auditors adopted that 14-day figure as the reasonable-time standard even though the directive bound only US federal civilian agencies.

That changed on 10 June 2026. CISA issued BOD 26-04, "Prioritizing Security Updates Based on Risk", which revokes and replaces BOD 22-01 (and BOD 19-02). It abandons the flat KEV deadline and CVSS-driven prioritisation for a risk-based tier decided by a combination of four binary signals:

  • Public exposure — is the asset reachable over a public network by an unauthenticated user? *Treat it as exposed by default unless you can prove otherwise.*
  • KEV status — is the CVE on the CISA KEV catalogue?
  • Exploit automation — can an adversary fully automate exploitation (weaponised, reliable, no manual step)? EPSS and public exploit availability inform this.
  • Technical impact — does exploitation grant total system control or only partial?

The combination decides the band, not a headcount of signals. The tiers:

  • 3 calendar days + mandatory forensic triage — the CVE is KEV-listed and yields total system control, regardless of exposure or automation.
  • 3 calendar days (no forensic triage) — a publicly exposed asset with an automatable exploit yielding total control, even if not yet KEV-listed.
  • 14 days — the standard band for most KEV-listed vulnerabilities and several high-risk non-KEV combinations.
  • 60 days — lower-risk cases, e.g. a non-exposed asset with an automatable but only partial-control flaw.
  • Fix on the next scheduled system upgrade — no risk criteria met.

Two rules govern the clock. It starts when CISA adds the CVE to KEV *or* when you discover the vulnerability on your systems — whichever is first. And it is dynamic: taking an asset offline removes the exposure signal and can move it to a slower band, while a KEV listing tightens it. Agencies must align processes by the 60-day mark (August 2026) and reach full compliance within 180 days (December 2026) — the window in which this becomes the benchmark everyone else is held to.

Hour 0 to 24 — triage the four signals and assign the tier

Goal: within the first day, establish the four signals and assign the correct band. Give it an owner — this is a decision, not a scan.

Triage checklist:

  • Confirm the CVE applies to a version you actually run. Match the advisory's affected-version range against your asset inventory / SBOM. A KEV entry for a product family you do not deploy is not your clock.
  • Determine exposure. Is the vulnerable service reachable from an untrusted network by an unauthenticated user? If you cannot answer with evidence — external attack-surface data, firewall rules, a reachability test — default to exposed. That is the BOD 26-04 rule and the safe assumption.
  • Determine exploit automation. Is there a weaponised, reliable public exploit? Is it KEV-listed (in-the-wild use is confirmed by definition)? Check the EPSS probability and public PoC availability. A KEV listing plus a working PoC means assume automatable.
  • Determine technical impact. Does successful exploitation give total control (RCE as root/SYSTEM, full authentication bypass, admin takeover) or partial (info disclosure, limited privilege, DoS)?
  • Assign the band from the tier list and write down *why* — the four signal values and the resulting deadline. That one-line justification is your audit trail and the thing an insurer or regulator will ask for.

Worked example: a KEV-listed pre-authentication RCE on your internet-facing gateway → KEV = yes, exposure = yes, automation = yes, impact = total. Band: 3 days with forensic triage (KEV + total control), and because it is exposed and exploited you also open an incident-response track in parallel. Contrast a partial-info-disclosure CVE on an internal-only host with no public PoC → likely the 60-day or next-upgrade band. Same week, same KEV feed, two very different clocks.

The decision — patch, mitigate, or isolate

Once the band is set, you have three moves. Choose per asset, not per CVE — the same vulnerability on an exposed gateway and on an air-gapped host are different decisions.

1. Patch — the default when a vendor fix exists and you can deploy *and validate* it inside the band. Deploy to the highest-risk (exposed, total-control) instances first, then work down. A patch is not remediation until you confirm the vulnerable path is actually closed — some fixes require a configuration change or service restart the version string does not reflect.

2. Mitigate (compensating controls) — when no patch exists, the patch cannot be validated in time, or patching would break a critical service. Options, in rough order of strength: disable the vulnerable feature or endpoint, apply the vendor-supplied workaround, add a WAF/IPS signature for the exploit, restrict network reachability to the vulnerable service, or tighten authentication in front of it. Document the mitigation as temporary with a target patch date — a compensating control is a clock-extender, not a close-out.

3. Isolate / take offline — when you can neither patch nor adequately mitigate an exposed, high-impact asset. Removing public reachability directly removes the exposure signal, which under BOD 26-04 can move the asset to a slower band and buy the time to patch safely. This is not a failure move; it is the correct move when the alternative is running a known-exploited, internet-facing, total-control flaw. For an asset you can afford to lose access to temporarily, isolation is often faster and safer than a rushed production patch.

The anti-pattern this replaces: patching in CVSS-score order. A CVSS 9.8 on a non-exposed, partial-impact internal host can wait; a CVSS 7.2 that is KEV-listed, exposed and yields total control is a 3-day fire. BOD 26-04 exists precisely because the CVSS base score is a poor proxy for real risk.

Move fast without breaking production — the emergency change

A 3-day band collides with change-management processes built for two-week cycles. Pre-build the emergency path so the clock is not consumed by process:

  • Pre-authorised emergency-change lane. Agree in advance — with the change board and service owners — that a KEV-listed, exposed, total-control finding auto-qualifies for emergency change, with no wait for the weekly board. Capture the approval trail; do not skip it.
  • Rollback plan first. Before deploying, know the exact rollback: snapshot/restore point, previous package version, config backup. The emergency-patch failure most likely to hurt you is a bad patch taking down the very service you were protecting.
  • Canary, then fan out. Deploy to one representative instance, confirm the service is healthy and the vulnerable path is closed, then roll to the rest. Even in a 3-day window there is time for a one-hour canary.
  • Validate closure, not just deployment. Re-test the specific exploit primitive against the patched instance, or confirm the config change took effect. "The patch installed" and "the exploit no longer works" are different claims; the regulator and your insurer care about the second.
  • Record the timeline. Clock-start (KEV date or discovery), band assigned, decision (patch/mitigate/isolate), deployment time, validation result. This is the evidence a BOD-aligned auditor, a cyber-insurer, or a NIS2/DORA supervisor will ask to see.

Evidence checklist — what to keep and in what order

Keep these ready, ordered by which gate consumes them — the point is to prove, to an auditor or insurer, that you ran a defensible risk-based process rather than patched by instinct:

  • Trigger record — CVE ID, KEV listing date (or your discovery date), the advisory/researcher report that established in-the-wild exploitation, and the timestamp you became aware. This fixes clock-start.
  • Applicability evidence — the asset-inventory / SBOM query proving the vulnerable version is (or is not) present, and where.
  • The four-signal worksheet — exposure, KEV status, automation, impact, each with the evidence behind it, and the resulting band with its deadline. The single most important artefact.
  • Decision record — patch / mitigate / isolate, per asset, with rationale.
  • Change + rollback record — emergency-change approval, deployment timestamps, canary result, rollback plan.
  • Closure validation — proof the vulnerable path is actually closed (re-test result or config confirmation), not merely that a package installed.
  • Residual-risk register — any asset left on a compensating control, with its target patch date.

The recurring bottleneck peer organisations report is not deploying the patch — it is **defensibly deciding which of the week's KEV entries is actually a 3-day fire in *their* environment**, because the four signals (especially real exposure and real exploitability) are expensive to establish by hand under deadline. Continuously validating whether a KEV-listed CVE is genuinely reachable and exploitable against your deployed configuration — before it lands, not during the fire drill — is exactly what Zero Hunt's AI Generative Pentest rail is built for: a 10-agent swarm writes a per-target exploit chain, backtested in the AI Gym before it runs, so "exposed" and "exploitable" become proven facts about *your* estate rather than worst-case assumptions. It syncs the CISA KEV catalogue and EPSS as two of its threat-intel feeds, so a new KEV listing for a product you run triggers a validation campaign automatically — turning the four-signal worksheet from a manual scramble into a standing answer.

Common failure modes

1. Prioritising by CVSS instead of risk. The exact habit BOD 26-04 abolishes. A CVSS 9.8 on a non-exposed, partial-impact host is not a 3-day fire; a KEV-listed, exposed, total-control CVSS 7.x is. Rank by the four signals, not the base score.

2. Assuming "not exposed" without proof. BOD 26-04 says treat every asset as publicly exposed until you can demonstrate otherwise. Teams routinely under-rate exposure because they trust an out-of-date network diagram; verify reachability, do not assume it.

3. Treating every KEV entry as a 3-day emergency. The opposite failure — burning the team on every listing until they stop responding to any. Most KEV entries land in the 14-day band; reserve the 3-day fire drill for KEV + total control (or exposed + automatable + total control).

4. Calling "patch installed" the finish line. If the fix needs a config change, a service restart, or a certificate rotation the version string does not capture, the exploit may still work. Validate closure against the actual exploit path — the same trap the edge-device playbook documents.

5. Forgetting that isolation is a legitimate move. Under a risk-based clock, taking an unpatched exposed asset offline removes the exposure signal and buys time — often the right call, not a defeat.

6. Never validating real exploitability. The most expensive failure at scale: pouring 3-day emergency effort into KEV entries that are not actually exploitable in your configuration, while a genuinely reachable one waits. Without continuous adversarial validation of your own estate, the four-signal triage runs on assumptions — and assumptions are what BOD 26-04 was written to replace.

Cross-framework notes

BOD 26-04 binds only US federal civilian agencies, but its reach is far wider because it is the most concrete government-issued statement of "reasonable time to remediate" — and that is the standard everyone else is measured against:

  • NIS2 (essential/important entities) requires a risk-based vulnerability-handling and patch process; a KEV-listed, exposed, exploited flaw left past a reasonable window is precisely the negligence a supervisor looks for after an incident. If exploitation of your instance is confirmed, the 24h/72h/1-month notification clock starts on top of the patch clock.
  • DORA (financial entities) mandates ICT vulnerability management and rapid remediation of exploited flaws affecting critical or important functions; the 4h/72h/1-month incident clock applies the moment exploitation is classified as a major incident.
  • Cyber insurance. Renewal questionnaires increasingly ask for a KEV-aligned patch SLA; a policy may sub-limit or contest a claim where a KEV-listed CVE sat unremediated past your stated window. BOD 26-04's tiers are becoming the reference those SLAs are written against.
  • The de-facto benchmark. Whether or not you are federal, "we remediated per the CISA BOD 26-04 risk tiers" is a defensible answer to an auditor, a board, or a court; "we had not gotten to it" against a KEV-listed, exposed, exploited flaw is not.

The operational discipline is the one that runs through every incident playbook: decide once, evidence everywhere. The four-signal worksheet, the decision record and the closure validation are the same artefacts your NIS2 vulnerability-management audit, your DORA resilience-testing evidence, and your insurance renewal all draw from — build the record once and export it into each frame.

Goes deeper

Want this against your environment?

Book a 30-minute scoping call — we will map this directly to your current compliance scope and threat profile.