CISA’s new directive officially ends federal agencies’ reliance on static vulnerability scores. Learn how Tenable One helps federal agencies pivot to dynamic asset exposure, threat validation, and AI-powered automation to meet compressed compliance timelines.

What are the implications of CISA BOD 26-04 on federal agency vulnerability management?

The Cybersecurity and Infrastructure Security Agency (CISA) fundamentally changed the rules of federal vulnerability management with the release of Binding Operational Directive (BOD) 26-04. By officially superseding BOD 19-02 and BOD 22-01, this new directive consolidates federal guidelines into a single, unified framework.

More importantly, it marks the end of using static severity scores to determine the urgency of a patch.

Driven by the rapid acceleration of AI-powered threats and increasingly sophisticated adversary campaigns, BOD 26-04 forces a pivot away from treating all vulnerabilities equally. Agencies can no longer rely on a simple checklist of Common Vulnerabilities and Exposures (CVEs). Instead, BOD 26-04 mandates a dynamic, risk-based vulnerability prioritization model built on real-world asset and threat context.

At Tenable, we believe federal agencies shouldn’t have to start from zero to meet these rigorous requirements. The Tenable One Exposure Management Platform delivers the continuous asset discovery, threat validation, and automated orchestration needed to operationalize the requirements of BOD 26-04.

How can Tenable help me comply with CISA BOD 26-04?

How Tenable One helps federal agencies assess the four key risk variables outlined in BOD 26-04

BOD 26-04 dictates that vulnerability remediation timelines must be dynamically driven by four specific risk variables: asset exposure, KEV status, exploit automation, and technical impact. Tenable One helps federal agencies assess each variable. It provides the context and validation federal environments require, backed by comprehensive threat analysis.

Variable #1: Asset Exposure

• The directive: Is the vulnerable asset publicly exposed to the internet?
• The Tenable solution: Tenable One provides multiple ways to determine which assets are externally accessible. Numerous sensors and third-party data connectors help determine whether a device is internet-facing or has a public IP address. The Asset Criticality Rating (ACR) incorporates external exposure context by taking into account the asset’s location, its network connectivity, and the presence of security controls. Tenable One Attack Surface Management (ASM) provides continuous discovery and identification of internet-facing assets. Rather than relying on a point-in-time snapshot, Tenable One gives agencies an always-on, outside-in view of their true public exposure.
• The strategic reality: Tenable analyzed the full CISA Vulnrichment corpus against BOD 26-04’s tiered model and found that asset exposure is the single highest-leverage compliance variable. Removing an asset from public exposure can shift 76.7% of CVEs from the compressed remediation timelines to the deferral tier. Attack surface reduction is not just good security; under BOD 26-04, it is the most efficient path to compliance.

Variable #2: KEV status 

• The directive: Is the vulnerability tracked on CISA's Known Exploited Vulnerabilities (KEV) catalog?
• The Tenable solution: Tenable integrates CISA’s KEV catalog directly into our Vulnerability Priority Rating (VPR) scoring and compliance workflows. Tenable Vulnerability Watch provides early identification of vulnerabilities being exploited in the wild before they appear in the KEV catalog. This early warning capability gives organizations advance notice that their remediation timeline is about to compress.
• The compliance advantage: Tenable maintains exploitation tracking that identifies active exploitation before CISA’s formal KEV listing. In a BOD 26-04 environment, this lead time gives federal agencies a compliance advantage: when a CVE is added to the KEV, the agency’s remediation timeline compresses immediately. Organizations that have advance warning can begin remediation before the mandatory clock starts, not after.

Variable #3: Exploit automation 

• The directive: Can an adversary fully automate all the steps necessary to exploit the vulnerability?
• The Tenable solution: Tenable VPR scoring natively assesses exploit maturity as a core feature: it evaluates whether functional exploit code exists, if exploitation has been observed at scale, and how accessible the path is. Tenable’s Asset Exposure Score (AES) further contextualizes risk by evaluating the combined exposure posture of each asset within the organization’s specific environment.
• Challenging the automation assumption: Tenable analyzed the full CISA Vulnrichment corpus (over 154,000 enriched CVEs) and found that 61% of actively exploited vulnerabilities cannot be automated. Most real-world exploitation is targeted, not mass-automated. This means organizations that focus remediation exclusively on automatable vulnerabilities will miss the majority of active threats. Tenable’s risk prioritization accounts for this by incorporating threat actor context, campaign intelligence, and exploitation breadth alongside automation maturity.

Variable #4: Technical impact

• The directive: Does the exploit grant the attacker partial or total control of the asset?
• The Tenable solution: Tenable integrates CVSS base scores and severity assessments for every CVE, seamlessly delivering the deep impact context required to satisfy the directive’s distinction between partial and total asset control.
• The critical density of total control: Tenable’s operational assessment reveals that 83% of actively exploited CVEs yield total system control. Under BOD 26-04, total control combined with KEV status on an internet-facing asset triggers the most aggressive compliance tier: three days with mandatory forensic triage. Because total control is the norm rather than the exception among exploited vulnerabilities, agencies should plan for the forensic triage requirement as a routine operational demand, not an edge case. Tenable One identifies the technical impact variable at platform scale, enabling agencies to isolate which vulnerabilities fall into the highest-severity compliance tiers immediately.
   

Note on changing dynamics: BOD 26-04 timelines are not static. They shift whenever any variable changes: a CVE added to the KEV, an asset newly exposed to the internet, or a Vulnrichment assessment updated from non-automatable to automatable. Compliance is a continuous state, not a point-in-time assessment. The continuous monitoring capabilities provided by Tenable One ensure that when variables shift, your agency’s prioritization shifts with them, in real time, rather than at the next scan cycle.

How vulnerability research from Tenable helps federal agencies comply with BOD 26-04

Beyond reacting to current listings, Tenable has identified over 4,400 vulnerabilities that carry the highest-risk technical profile (automatable, total system control, proof-of-concept available) but are not yet on the KEV. When any of these CVEs receive confirmed exploitation evidence, they immediately jump to the most aggressive BOD timeline: three days with mandatory forensic triage. Organizations using Tenable’s predictive prioritization capabilities can identify and begin remediating these vulnerabilities before the compliance clock starts ticking.

Tenable Vulnerability Watch and VPR scoring flag CVEs that have a high risk profile based on exploit maturity, proof-of-concept availability, and technical impact severity, giving security teams a prioritized remediation queue that anticipates KEV additions rather than reacting to them.

What’s more, the intelligence behind Tenable One is not a static vulnerability feed. It is produced by the Tenable research team through a structured intelligence methodology that assesses vulnerabilities, threat actors, campaigns, and environmental exposures as four independent but interrelated risk dimensions.

The Tenable research team tracks persistent exploitation at three levels: individual CVEs, vendor product lines, and entire technology classes. When a new vulnerability is disclosed in a product family already under sustained attack across multiple actor categories, Tenable’s persistent targeting data elevates the urgency before exploitation of that specific CVE is confirmed, giving customers lead time that single-CVE tracking cannot provide.

Tenable Vulnerability Watch classifications directly inform the platform’s priority scoring. Their exploitation tracking identifies active threats before they reach the CISA KEV catalog. Their persistent exploitation analysis distinguishes between newly emerging threats and vulnerabilities that have been under sustained attack for months across multiple actor categories. For BOD 26-04, this means Tenable customers receive not just compliance data, but the operational threat context that turns compliance into risk reduction.

Vulnerability research from Tenable helps federal agencies address the forensic triage requirement of BOD 26-04

BOD 26-04 introduces a forensic triage requirement with no precedent in prior directives. For CVEs that are both on the KEV and yield total system control (see Table 1 rows 1, 3, and 9 within the BOD), agencies must assess whether compromise has already occurred alongside remediating within three days.

This is not a niche compliance edge case. Tenable data shows that 83% of actively exploited CVEs yield total system control, which means the forensic triage obligation applies to the vast majority of KEV-listed vulnerabilities on publicly exposed systems.

Effective forensic triage requires knowing what to look for. Tenable provides the threat attribution and campaign context that forensic teams need: which actor is exploiting the vulnerability, what tools and infrastructure signatures they use, and whether the exploitation is part of a coordinated campaign targeting your sector. This is the operational intelligence layer that turns a compliance checkbox into an informed investigation.

Navigate the phased requirements of BOD 26-04 with the platform-scale automation of Tenable One

BOD 26-04 outlines strict phased implementation timelines, requiring agencies to update policies immediately (Phase 1), update processes within 60 days (Phase 2), and actively remediate assets and tag metadata within 180 days (Phase 3).

Manually evaluating four complex variables across thousands of vulnerabilities on thousands of assets is an impossible task for human analysts. This is precisely why Tenable has invested heavily in AI-powered exposure management.

• Tenable Hexa AI: Our agentic AI engine available in Tenable One orchestrates automated security workflows at machine speed. By applying risk intelligence at platform scale, Tenable Hexa AI surfaces the vulnerabilities that matter most, allowing agencies to meet compressed remediation timelines without needing to scale their security teams linearly.
• Automated asset tagging and CDM integration: Phase 3 requires agencies to continuously identify and tag all assets reachable outside the internal network with specific metadata (organization, environment, exposure, and asset type). Tenable’s robust API integrations automate this metadata tagging and seamlessly feed the structured data directly into the federal Continuous Diagnostics and Mitigation (CDM) Dashboard.

Extend governance to third-party and cloud environments

The scope of BOD 26-04 is unyielding: it applies to all federal information systems, including those hosted in third-party and cloud environments.

Whether working with the FedRAMP PMO for certified offerings or directly with cloud service providers (CSPs) for non-certified environments, agencies bear responsibility for ensuring underlying infrastructure adheres to these guidelines.

Tenable One Cloud Exposure helps agencies audit and validate that their underlying CSP infrastructures tightly align with BOD 26-04 guidelines. By unifying data across internet-facing assets, traditional IT, and cloud, Tenable One provides the centralized exposure oversight mandated by CISA.

Complying with BOD 26-04 requires the scale that Tenable One provides

As federal agencies scramble to operationalize BOD 26-04, security teams are asking a foundational question: What can my existing Tenable vulnerability management tools do today, and what requires the Tenable One Exposure Management Platform?

Currently, Tenable Security Center and Tenable One Vulnerability Management natively handle the following core baseline requirements:

• KEV status integration - Automatically identify and filter vulnerabilities listed in CISA’s KEV catalog.
• Asset segmentation: Build static asset lists to group targeted systems.

However, BOD 26-04 mandates a fundamental shift away from simple scanning toward localized context, specifically tracking CISA’s Stakeholder Specific Vulnerability Categorization (SSVC) “Vulnrichment” metadata (such as exploit automation and technical impact keys).

While CISA maintains a public repository of these enriched vulnerabilities, manually importing, filtering, and cross-referencing this data against an enterprise network requires the scale that only Tenable One provides.

This is why Tenable One is the purpose-built answer to CISA’s advanced data mandates. Tenable One doesn’t just scan for CVEs; it acts as an ingestion and orchestration engine for these exact advanced data requirements of BOD 26-04:

• Native Vulnrichment filtering - Tenable One is designed to natively surface and filter threat metrics derived from CISA’s SSVC metadata alongside Tenable’s Vulnerability Priority Rating.
• Dynamic variable merging: Traditional vulnerability management tools show you a vulnerability, but they cannot tell you in real time if that specific asset is reachable from the public internet. Tenable One seamlessly blends your internal vulnerability data with continuous Attack Surface Management (ASM) data.

For agencies asking how to filter natively on CISA’s enriched fields without waiting on legacy upgrade cycles, the answer isn’t to stretch traditional scanning tools past their design limits. Agencies can bridge this gap with Tenable One, a unified system that automates prioritization and metadata mapping to provide the real-time visibility required by BOD 26-04.

CISA BOD 26-04 accelerates federal agencies’ journey from vulnerability management to exposure management

BOD 26-04 acknowledges that the speed of modern, AI-driven cyber campaigns requires a parallel leap in defender capabilities. Moving past static compliance means embracing dynamic context and validation. With Tenable One, federal agencies gain a foundational platform built to operationalize this exact model: Tenable One delivers the continuous asset discovery, threat validation, and automated remediation workflows necessary to secure the federal enterprise. 

Ready to align your risk management with BOD 26-04?

• Read Tenable’s FAQ on CISA BOD 26-04.
• Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.
• Learn more about the Tenable One Exposure Management Platform.