On June 10, 2026, CISA issued Binding Operational Directive 26-04, Prioritizing Security Updates Based on Risk. It does something the patching world has argued about for a decade: it retires the raw CVSS score as the required way to prioritize, and tells federal civilian agencies to remediate by real-world risk instead. The most dangerous vulnerabilities now carry a remediation clock measured in days, not months. BOD 26-04 supersedes the older BOD 19-02 and BOD 22-01, and CISA has published implementation guidance alongside it.
If you have followed Senserva, this will sound familiar. Ranking patches by what attackers are actually doing, not by a number in a vendor advisory, is exactly how Siemserva has always worked. Here is what the directive says, the model it puts at the center, and why it validates the way we already rank and fix patches.
What BOD 26-04 changes: risk over raw severity
For years, "patch the criticals first" meant "patch the highest CVSS scores first." The problem is that CVSS measures theoretical Severity in isolation. It does not know whether a flaw is internet-facing, whether it is being exploited in the wild today, or whether an attacker can automate it at scale. BOD 26-04 replaces that single number with a risk decision built from four factors:
Is the affected system reachable over a public network? Internet-facing assets move to the front of the line.
Is it in CISA's Known Exploited Vulnerabilities (KEV) catalog? Active exploitation is the strongest signal there is.
Can an adversary automate exploitation at scale, the way mass-scanning worms and ransomware crews do?
Does exploitation grant partial or total control of the system? Full compromise outranks a minor information leak.
Defenders are expected to combine these with their own context: KEV status, Exploit Prediction Scoring System (EPSS) probabilities, and what each asset actually does in the business. CVSS does not disappear, it just stops being the thing that decides the deadline.
The new clock: as little as three days
BOD 26-04 ties the remediation deadline to the risk, not to a fixed monthly cadence. The combinations that matter most, an internet-facing asset, in the KEV catalog, easily automated, with high technical impact, get the shortest window.
Highest risk. Actively exploited, internet-facing, high-impact flaws. Remediate in as little as three calendar days, plus a check for signs of compromise, because if it is in KEV, someone may already be inside.
Elevated risk. Serious but less immediately dangerous combinations get longer, still-bounded windows measured in weeks.
Genuinely low risk. Low-impact, unexposed, unexploited issues can wait, in some cases until a system's next major upgrade, so teams stop burning hours on noise.
Timelines summarized from CISA BOD 26-04 and its implementation guidance. The directive binds federal civilian agencies, but the model is a strong template for any organization. See the directive for the authoritative requirements.
Why Siemserva already works this way
Most risk still comes down to the basics done consistently, and ranked correctly. Siemserva by Senserva tracks the true patch and CVE state across your Microsoft 365, Intune, and Entra ID estate, reading Microsoft's own data through Intune, Defender for Endpoint, and Azure Update Manager. Every missing patch is tied to the CVEs it fixes and ranked by what is actually being exploited, using CISA KEV and EPSS on top of CVSS, so you fix what attackers are using, not just what scores highest or what is oldest. That is precisely the prioritization model BOD 26-04 now puts at the center of federal patching. This is patch heritage at its root: Senserva is built by Mark Shavlik and his team, and Mark is the original creator of Shavlik patch management (HfNetChk, NetChk Protect, MBSA).
Finding a problem is only half the job. Every Siemserva finding arrives with a plain-language explanation, the mapped compliance control, and a validated, ready-to-run fix, so remediation is a step you take, not a research project. The next scan proves the gap is closed.
AI-enhanced security and IT management, with Trustworthy AI
When you turn AI on, it does the heavy lifting: AI-enhanced reports that explain findings to every audience, plain-language questions about your tenant answered from your real data, and agent-mode remediation that drafts and sequences fixes. The difference is how it is built. Senserva Trustworthy AI means every answer and every fix is grounded in your actual scan data, validated against your tenant state before you act, and produced with the model you bring, so your data stays with you. Deterministic where it counts, AI where it helps.
- Grounded. Answers and remediations cite the real findings behind them, not guesses.
- Validated. Every AI-suggested fix is checked against your current configuration before it runs.
- Your model, your data. Bring your own AI; nothing leaves with a vendor.
Advancing IT and security management without AI, too
AI is additive, not required. Siemserva runs fully without it: every one of its 650+ checks is deterministic, so a result never depends on a model. The non-AI core keeps advancing on its own, and that matters for teams that cannot or will not put AI in the loop:
- Broader deterministic coverage across identity, Conditional Access, devices, applications, email, logging, and Purview.
- Continuous configuration drift management that compares your live state to a known-good baseline on every scan.
- Audit-ready compliance evidence mapped to MCSB, CISA SCuBA, NIST, HIPAA, and more, with no AI involved.
- Patch and CVE tracking, ranked and exportable, that stands on its own as a deterministic system of record.
The same engineering discipline that shipped patch management to millions of endpoints goes into the deterministic core. AI makes it faster to act; it does not make the foundation.
Why both tracks matter
Security leaders are rightly cautious about AI making changes in production. The answer is not to avoid AI, and it is not to trust it blindly. It is to keep a deterministic foundation that is correct on its own, and to add AI that is grounded, validated, and optional on top. That is how Senserva advances IT and security management: the fundamentals done right, and Trustworthy AI that earns its place.
Put BOD 26-04 to work today
You do not have to be a federal agency to adopt the directive's thinking. Start with our two free, no-sign-up lookup tables: the Microsoft patch tracker shows each patch with the CVEs it fixes and whether any are in CISA KEV, and the CVE reference ranks Microsoft and all-vendor KEV CVEs by real exploitation. Then run Siemserva against a free demo tenant and see the deterministic checks, the risk-ranked patch and CVE state, and the Trustworthy AI in one scan. No agents, no cost to start.
