Today, the Cybersecurity and Infrastructure Security Agency released BOD 26-04: Prioritizing Security Updates Based on Risk, which clarifies vulnerability remediation guidelines for federal agencies. This directive applies to agency assets in any "federal information system," defined in Circular A-130 as an information system used or operated by an agency, or by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.
CISA’s Remediation Timelines
Within 180 days of issuance, agencies must remediate each vulnerability as quickly as possible and no later than the timelines set forth in Table 1: Remediation Timelines, which uses Stakeholder-Specific Vulnerability Categorization (SSVC) for prioritization.
The Challenge with Determining Remediation Timelines
To determine the appropriate timeline, agencies must assess whether an asset is publicly exposed, whether a vulnerability is being actively exploited, whether it is automatable, and what its technical impact is. While CISA has done some of this work through Vulnrichment, only 45.8% of CVEs have SSVC coverage, leaving agencies to manually assess automatability and technical impact for more than half of all CVEs.
Automating SSVC decision criteria
In 2024, following the launch of CISA Vulnrichment, VulnCheck automated the generation of SSVC decisions, giving defenders earlier and broader access to exploitation evidence, technical impact assessments, and automatability determinations. As soon as the necessary information is available, VulnCheck automatically generates a decision without relying on manual assessment, providing government agencies with 90% coverage.
This, combined with earlier and broader exploitation indicators in VulnCheck KEV where evidence is often available days, months, or even years before a vulnerability is added to CISA KEV, gives agencies additional insight and time to act on vulnerability remediation.
What Does This Look Like in Practice?
VulnCheck provides both VulnCheck-generated and CISA-generated SSVC decisions, giving you broad and timely coverage to determine the appropriate remediation timeline for each vulnerability.
Machine-readable SSVC decisions provide visibility into both CISA (when available) and VulnCheck assessments:
VulnCheck-NVD2 API Response Example
"ssvc": [
{
"source": "CISA-ADP",
"exploitation": "ACTIVE",
"automatable": "NO",
"technicalImpact": "TOTAL"
},
{
"source": "VulnCheck",
"exploitation": "ACTIVE",
"automatable": "NO",
"technicalImpact": "TOTAL"
}
],
Join us for June's In the Wild Webinar where we will discuss CISA BOD 26-04 and SSVC in greater length: https://wwv.vulncheck.com/in-the-wild-with-vulncheck-webinar-series-june2026
About VulnCheck
VulnCheck is helping organizations not just to solve the vulnerability prioritization challenge - we’re working to help equip any product manager, security team and threat hunting team to get faster and more accurate intelligence with infinite efficiency using VulnCheck solutions.
We knew that we needed better data, faster across the board, in our industry. So that’s what we deliver to the market. We’re going to continue to deliver key insights on vulnerability management, exploitation and major trends we can extrapolate from our dataset to continuously support practitioners.
Are you interested in learning more? If so, VulnCheck's Exploit & Vulnerability Intelligence has the broadest coverage.