Resources

/

Podcasts

/

Product Talk

CISA's BOD 26-04 Directive Explained

Episode 26   Published June 11, 2026 27 minute watch

Product Talk

Welcome to Product Talk, your ultimate guide to the features and use cases of Automox, hosted by Peter Pflaster and Steph Rizzuto. This podcast peels back the layers of Automox’s endpoint management software, discussing its various features, practical uses, and the transformative impact it has on businesses. Join Peter and Steph as they explore the nooks and crannies of the Automox product and help you leverage its full potential for your IT needs.

Host

Peter Pflaster
Jason Kikta is the CTO of Automox

Guest

Jason Kikta

RECENT EPISODES

Best-In-Class Remote Control

CISA's BOD 26-04 Directive Explained

[Nothing Weaponized, Everything Exposed]

[AI Hits the Hat Trick], Ep. 32

View all episodes

Available wherever you get your podcasts

Youtube

Apple Podcasts

Spotify

Overcast

Pocket Casts

Amazon Music

Castro

Goodpods

Castbox

Podcast Addict

Player FM

Deezer

Summary

CISA's binding operational directive BOD 26-04 retires severity-based patching for federal civilian agencies and replaces it with an exploit-evidence model that can demand fleet-wide remediation in as little as three days, no exceptions. Urgency now comes from four signals fed through a 16-row decision tree rather than a CVSS score, and the default flips from "give me a rationale to patch" to "justify why you can't." Automox CTO Jason Kikta expects the directive to filter down through federal contractors, cyber insurance, and board-level decisions the way the KEV catalog did. The real work is measuring your remediation SLA for actively exploited vulnerabilities, meeting it, and then driving it lower before the clocks tighten.

Takeaways

  1. BOD 26-04 binds U.S. federal civilian agencies, not private companies or the Department of Defense, but Kikta expects it to filter down through federal contractors, cyber insurance, and regulations the way the KEV catalog did.

  2. CISA sets urgency from four signals: whether the asset is publicly exposed, whether the vulnerability is on the Known Exploited Vulnerabilities catalog, whether an attacker can automate the exploit, and how much control successful exploitation grants.

  3. The remediation tiers are three days for the highest-risk vulnerabilities (fleet-wide, no exceptions), then 14 days, 60 days, and formal deferral to the next maintenance window.

  4. The clock is dynamic: pull a system offline and it relaxes, but if the flaw lands on KEV it tightens. If an agency can't prove an asset isn't exposed, CISA assumes it is and assigns the fastest clock.

  5. KEV median resolution has improved to about 43 days, and Kikta frames the central challenge as closing the gap from 43 days down to three.

Topics

Vulnerability Remediation

See for yourself how policy-driven IT Automation saves time and eliminates risk.

Dive deeper into this topic

CISA BOD 26-04 sets a 3-day patch deadline for federal agencies. Here's what changed, why it will reach your organization, and what to do before it does
The Three-Day Clock: What CISA's New Patching...

CISA BOD 26-04 sets a 3-day patch deadline for federal agencies....

Dirty Frag: What You Need to Know and How to...

Dirty Frag is an unpatched Linux LPE chain affecting esp4, esp6,...

The Math of Modern Attacks

Podcast

Claude Mythos: AI Vulnerability Hype vs. Evidence

Podcast