CISA to Issue Risk-Based Vulnerability Directive, Overhauling Federal Patch Management

The Cybersecurity and Infrastructure Security Agency plans to release a binding operational directive on June 10 that will require federal civilian agencies to shift from speed-driven patch application toward risk-weighted vulnerability management, Acting Director Nick Andersen announced June 9 at the Axonius Adapt in Action conference in Washington, D.C. ^[1][2] The directive, which Andersen described as changing the agency's "approach to thinking about the management of risks," does not yet carry a public text, and Andersen declined to specify its contents in detail before publication. ^[1][POLITICO]

The forthcoming directive represents a direct revision of the compliance framework established by Binding Operational Directive 22-01, which CISA issued in November 2021 under then-Director Jen Easterly. BOD 22-01 established a CISA-managed catalog of known exploited vulnerabilities and required federal civilian agencies to remediate those vulnerabilities within specific timeframes. A binding operational directive is a compulsory direction to federal executive branch departments and agencies for safeguarding federal information systems, issued under authority granted to the Secretary of Homeland Security by Section 3553(b)(2) of Title 44, U.S. Code. Such directives do not apply to statutorily defined national security systems or to certain systems operated by the Department of Defense or the Intelligence Community. The new directive will apply to the same population of Federal Civilian Executive Branch agencies bound by BOD 22-01.

The binding operational directive looks to revise how federal agencies conduct vulnerability management. "Overall, our approach to date has been 'A patch is released, apply this patch as quickly as you can,'" Andersen said. Under the forthcoming directive, CISA will be "asking people to take more of a focus on risk associated with these vulnerabilities," Andersen told reporters, adding that the goal is to "highlight some patches aren't as important as others, and plugging the holes with some vulnerabilities is not as important as others." The directive will also address whether patching windows need to be shortened, and if so, by how much, and will direct federal agencies to change their vulnerability management protocols overall, Andersen said.

The new directive lands one week after President Trump signed an executive order, "Promoting Advanced Artificial Intelligence Innovation and Security," on June 2. That order directed federal agencies to establish a framework for the secure deployment of frontier AI models, including a process by which developers would voluntarily provide the government with early access to models for up to 30 days before releasing the technology to other trusted partners. The order explicitly directed the Secretary of Homeland Security, acting through the CISA director, to release binding operational directives and other guidance within 30 days to expedite the cyber defense of civilian federal systems and establish or expand AI-enabled defensive tools. Andersen acknowledged that AI-enhanced threats informed the directive in part, citing "a recognition that we're a different dynamic environment with the shorter timeline to weaponization and exploitation," but added that the discussions predated recent frontier AI announcements. He said Wednesday's directive is unrelated to the AI-focused executive order released last week.

The policy context nonetheless ties the two instruments together. The June 2 executive order came in response to advancements in new AI models, particularly the Anthropic Claude Mythos model preview, which demonstrated an ability to far outpace humans in identifying and exploiting new cyber vulnerabilities. Separately, within 30 days, the Secretary of the Treasury, in coordination with the National Cyber Director, the NSA Director, and CISA, must design a voluntary AI cybersecurity clearinghouse to coordinate and deconflict vulnerability scanning, validate vulnerabilities, and prioritize remediation and patch distribution. Treasury will formally lead the clearinghouse, with NSA and CISA serving in coordinating roles, a configuration that marks a shift from CISA's historically central position in federal vulnerability management.

CISA is also managing significant internal resource constraints as it promulgates new directives. The agency is extending nearly 200 job offers this month as it looks to reinforce its depleted ranks. Acting Director Andersen, speaking at the Axonius conference, said the agency is reorienting itself around a "ruthless" prioritization of cyber-physical risks in both federal networks and critical infrastructure. Andersen said the agency is working to hire 329 people, and will have job offers out to 182 of them by the end of June, with the first tranche of hires focused on operational capabilities including emergency communications, infrastructure security, and regional personnel. That hiring push follows personnel reductions earlier in the administration and operates against a backdrop of multiple government funding lapses. CISA's work has been hampered by government shutdowns, including delays in town-hall meetings about implementation of the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which will require key owners and operators to report major incidents within 72 hours.