Two moves from the US government, each in its own way, redefine how the public sector manages vulnerabilities and how AI enters federal cyberdefense. At Tech86, we track these changes closely because what CISA decides today for federal agencies tends to become the market standard tomorrow.
BOD 26-04: CVSS is no longer the driver
According to CISA, BOD 26-04 replaces BOD 22-01 and BOD 19-02, which used CVSS as the primary patching prioritization criterion. The new model is different: 4 binary factors determine the remediation deadline.
The factors are yes-or-no questions: is the asset publicly exposed? Is the vulnerability in the KEV (Known Exploited Vulnerabilities) catalog? Is exploitation automatable? Does the attacker gain total or partial control? Four binary factors produce 16 possible combinations. The highest tier requires remediation within 3 calendar days. According to CISA, this tier is reached when the vulnerability is in the KEV and grants total control to the attacker, regardless of exposure or automation. Alternatively, exposed asset + automatable exploitation + total control also reaches the 3-day tier, even without KEV presence.
According to CISA, in a large civilian agency, only about 1% of vulnerabilities fall into the 3-day tier. Over 60% can be deferred to the next upgrade cycle. This is a structural shift: the focus moves from "patch everything with high CVSS" to "patch what actually matters first."
At Tech86, we have seen this dynamic in practice. Patch parity — applying patches equally across all assets — is not the same as coverage parity — ensuring the most critical assets are protected first. BOD 26-04 formalizes what security operators already knew: prioritizing by real risk beats prioritizing by generic score.
The threat that patching does not solve
In a complementary publication, according to CISA, threat actors "do not primarily compromise core networks through product vulnerabilities." They use valid credentials and exploitable configurations — the tactic known as living off the land (LOTL). This is consistent with what we observe in real operations: the most likely compromise path is not a zero-day, it is a leaked credential combined with missing MFA.
LOTL is addressed by hardening, network segmentation, and phishing-resistant MFA, not by patching. CISA is explicitly saying that applying patches does not solve the most probable attack vector. This does not mean patching is irrelevant — it means patching alone is insufficient.
The time compression that AI brought to the vulnerability window makes this more urgent. If the window between discovery and exploitation has collapsed, prioritizing what actually matters is not optimization — it is survival.
EO 14409: AI as a defense tool
According to the White House, Executive Order 14409, signed on June 2, 2026, sets concrete deadlines. Within 30 days, CISA must issue BODs to accelerate defense of civilian federal systems, expand AI-enabled defensive tools, and facilitate access to covered frontier models for federal agencies, state and local authorities, and critical infrastructure — including rural hospitals, community banks, and local utilities. According to CISA, BOD 26-04, issued within the deadline established by EO 14409, was issued on June 10.
Within 60 days, according to the EO, NSA must develop classified benchmarking to define what constitutes a covered frontier model. The order also establishes a voluntary framework for developers to offer access up to 30 days before release — a timeline reduced from the 90 days in earlier drafts, according to official publications and earlier EO drafts.
The EO forms an AI Cybersecurity Clearinghouse (central de intercâmbio), led by the Treasury with participation from NSA, CISA, and the National Cyber Director, to coordinate scanning, validation, and patch distribution in voluntary collaboration with the AI industry. And Section 3(c) is clear: nothing authorizes mandatory government licensing, pre-clearance (pré-aprovação), or permitting (licenciamento) for AI models. The framework is voluntary.
The capacity paradox
According to reports from specialized outlets, CISA lost approximately one-third of its workforce between permanent losses, temporary shutdown impacts, and proposed cuts. The FY2027 budget proposal cuts 867 positions. Acting director Nick Andersen acknowledged capacity impacts, according to public statements.
The agency that must implement AI-enabled defense, issue BODs within 30 days, coordinate a clearinghouse, and facilitate frontier model access operates with reduced capacity. This is not a detail — it is the context that determines whether policies leave the paper or remain intentions.
At Tech86, we know that policy without execution capacity is just a document. The same applies to private operations: defining risk-based prioritization is the right step, but without automated detection and response, prioritization stays in the spreadsheet and never reaches the endpoint.
Conclusion
BOD 26-04 and EO 14409 represent the same paradigm shift: prioritize by real risk and use AI for defense. CISA formalized that, for federal BODs, 4 binary factors are more effective than CVSS as a prioritization driver. The White House mandated that AI must be a defense tool, not just an attack tool. The central question is execution — and CISA operates with reduced capacity at the moment it receives more mandates. For private operations, the lesson is clear: those who do not automate triage and response at the speed real risk demands are patching in the dark. We help you see and act faster — with EDR, real-time monitoring, and autonomous response.