CISA’s BOD 26-04 changes how federal agencies patch and how security leaders must measure, justify, and communicate cyber risk to executives and boards.

The reporting mandate hiding inside CISA Binding Operational Directive (BOD) 26-04

Most coverage of CISA BOD 26-04 has focused on the operational requirements: the four-variable model, the 16-tier remediation matrix, the three-day BOD 26-04 patching timeline with mandatory forensic triage. These are significant, and Tenable has covered them in depth in our FAQ on BOD 26-04.

But buried in the directive’s requirements is a less-discussed obligation that may prove equally transformative: agencies must demonstrate how they prioritize vulnerabilities and justify their decisions, particularly in cases where they decide to defer remediation. Metrics are expected to evolve from simple counts of patched vulnerabilities to measures that reflect reduction in high-risk exposure.

This is not a minor procedural update. It is a fundamental shift in how cybersecurity programs are measured, reported, and held accountable. For CISOs and security leaders, BOD 26-04 doesn’t just change the patching workflow. While the BOD 26-04 directive formally targets federal agencies, its framework is rapidly becoming the blueprint for the private sector as market forces align around risk-based accountability. Ultimately, it changes what corporate boards of directors need to hear.

Why traditional vulnerability management metrics fail under BOD 26-04

For years, security leaders have measured vulnerability management programs by volume: 

• Total vulnerabilities identified
• Total patches applied
• Percentage of systems scanned within a 30-day window
• Mean time to remediate. 

These metrics are easy to collect, easy to report, and easy to trend over time, but they are also increasingly disconnected from actual risk.

Tenable’s own analysis of customer telemetry across our global customer base confirms what many security leaders suspect but cannot prove: breadth of monitoring coverage is a more robust, predictive risk signal than patch velocity. Unmonitored assets exist as a permanently open attack surface; they cannot generate findings, be prioritized, or be verified as remediated. Conversely, monitored assets still pass through the risk pipeline even if remediation isn’t operating at maximum speed.

Independent industry research heavily corroborates the need to shift reporting from patching speed to monitoring coverage:

• The remediation ceiling - The Cyentia Institute’s Prioritization to Prediction research (analyzing 3.6 billion vulnerability observations) found that the typical organization can only remediate roughly 10% of open vulnerabilities per month, regardless of size, industry, or maturity. Because you cannot out-patch the growth rate of your backlog, prioritization, not speed, is the only lever that meaningfully reduces risk.
• The MTTR flaw - Standard mean-time-to-remediate (MTTR) calculations exclude open, unremediated vulnerabilities, which skews your metrics toward items that are easier to close quickly, which may not be the most critical, severe, or highest-risk issues.
• Asset composition skew - Remediation half-lives vary wildly across asset types, averaging 36 days for Microsoft Windows systems versus 369 days for network appliances. A strong MTTR often just means you have good visibility into automatically patching Windows assets, but this KPI may hide persistent exposure on edge devices and OT systems. 

BOD 26-04 makes this explicit: remediation priority is determined by the risk posed by a vulnerability if exploited, not by the total number of vulnerabilities identified. The directive’s deferral tier (fix on system upgrade) formalizes what the data has always shown: most vulnerabilities can wait. The ones that cannot are defined by exploitation evidence, exposure, automation potential, and impact severity.

A CISO who reports, “We patched 95% of critical CVEs this quarter,” is reporting a metric that BOD 26-04 has rendered insufficient. 

The relevant question is: Of the vulnerabilities that posed real-world risk to mission-critical systems, what percentage did we remediate within the directive’s timeline, and how much of our attack surface was under observation when we made that assessment?

The new security metrics: What BOD 26-04 demands

The shift from volume-based to risk-based reporting requires new KPIs. Organizations implementing BOD 26-04 should consider metrics that reflect the directive’s four-variable prioritization model:

Remediation compliance by BOD tier. What percentage of vulnerabilities in each BOD tier (three-day forensic triage, three-day, 14-day, 60-day, system upgrade) are remediated within the applicable timeline? This is the core compliance metric. It replaces “mean time to remediate” with a risk-weighted measurement that distinguishes between a 3-day critical and a deferrable low-risk finding.

Coverage of actively exploited vulnerabilities. What percentage of KEV-listed vulnerabilities in the environment are remediated? This measures the response to the most dangerous known threats, not the total vulnerability population.

Exposure surface reduction over time. What is the trend in assets classified as publicly exposed (BOD Variable 1)? Reducing the number of internet-facing assets directly shifts vulnerabilities from compressed timelines to the deferral tier. Tenable’s analysis of the full CISA Vulnrichment corpus found that removing an asset from public exposure can shift 76.7% of its associated CVEs to longer remediation windows. This makes exposure reduction the single highest-leverage compliance investment.

Additional independent research reinforces why assessment coverage is a better indicator of risk outcomes than patch velocity. Joint analysis from XM Cyber and the Cyentia Institute, examining more than 60 million exposures across 10 million entities, found that 75% of security exposures do not put critical assets at risk: they are dead ends in the attack graph. Only 2% of exposures sit on “choke points,” the convergence nodes through which multiple attack paths transit en route to critical assets. This corroborates Tenable’s telemetry finding from a different angle: if your monitoring does not cover the entities where those choke points exist, your remediation speed on the other 98% is noise in the risk signal. 

The metric that matters is not how fast you patch, but whether your visibility extends to the places where attack paths converge.

Forensic triage completion rate. For vulnerabilities in the highest-risk tier (KEV + total control), what percentage received the required BOD 26-04 forensic triage guidelines within the three-day window? This measures compliance with the directive’s most novel and operationally demanding requirement.

Deferral justification documentation rate. For vulnerabilities placed in the “fix on system upgrade” tier, what percentage have documented risk acceptance decisions? BOD 26-04 requires agencies to justify deferral decisions, which means every deferred vulnerability needs an auditable rationale.

Mean time from KEV addition to remediation. How quickly does the organization respond when a CVE is added to the KEV catalog and its BOD timeline compresses? This measures the speed of the organization’s response to dynamic timeline changes.

These metrics share a common characteristic: they measure risk reduction outcomes, not activity volume. A security program that patches fewer total vulnerabilities but remediates 100% of the 3-day tier within three days is performing better under BOD 26-04 than one that patches twice as many total CVEs but misses the critical timelines.

The accountability requirement: Justifying decisions to defer vulnerability remediation

BOD 26-04 introduces something federal vulnerability management has never had: a formal requirement to justify prioritization decisions. When an agency defers remediating a vulnerability to the next system upgrade cycle, that decision must be documented and defensible.

This creates an audit trail requirement. For every deferred vulnerability, the organization needs to demonstrate: 

• Which of the four variables were assessed
• What combination placed the vulnerability in the deferral tier 
• Why the agency is confident the deferral does not create unacceptable risk 

If any of the four variables change (a CVE added to the KEV, an asset newly exposed to the internet), the deferral decision must be reassessed.

For CISOs, this means the vulnerability management program needs to produce reporting that is informative and evidence-based. Dashboards and reports become compliance documentation. The tooling that generates these reports must be capable of recording the four-variable assessment for every CVE on every asset, tracking changes over time, and surfacing when a deferral decision is no longer valid because a variable has shifted.

This is where the Tenable One Exposure Management Platform provides a direct capability: continuous asset discovery combined with risk-based prioritization creates the audit-ready data foundation that BOD 26-04’s accountability requirement demands. When every asset has a continuously updated exposure status, every CVE has Vulnrichment-sourced variable assessments, and every prioritization decision is recorded, federal agencies and other organizations can demonstrate compliance at any point in time, not just at the last scan.

Learn more about the ways Tenable One supports BOD 26-04.

Beyond federal agencies: The contractor and supply chain dimension

BOD 26-04 is binding on Federal Civilian Executive Branch (FCEB) agencies. But the directive’s operational reach extends further than its legal mandate. CISA requires agencies to “review all contracts to determine what modifications are necessary to comply with the required actions of this Directive.” This puts thousands of federal contractors on notice.

Organizations that hold federal contracts, operate federal information systems on behalf of agencies, or provide managed security services to federal customers will face BOD 26-04 compliance requirements flowing down through contract vehicles. For these organizations, the directive is not advisory guidance. It is a contractual obligation that will appear in statements of work, security requirements matrices, and contract modification letters.

The reporting transformation applies to these organizations as well. Federal program managers will ask their contractors the same questions the directive asks agencies: 

• Which vulnerabilities did you prioritize?
• Why?
• Can you prove you met the applicable timeline? 

Contractors who cannot produce BOD 26-04-aligned risk metrics will face a competitive disadvantage in contract renewals and new opportunities.

Organizations in the federal supply chain should begin now: 

• Assess whether their vulnerability management tooling can produce the risk-exposure metrics BOD 26-04 demands
• Evaluate their ability to track the four-variable model across their managed environments
• Prepare to produce audit-ready documentation of their prioritization decisions

The convergence: Why BOD 26-04 matters beyond government

BOD 26-04 is driving a reporting transformation that reflects a broader convergence across the cybersecurity industry:

Insurance underwriting is shifting from binary questionnaire models to evidence-based risk assessment. Cyber insurers increasingly ask, “How do you prioritize patching, and can you demonstrate that your highest-risk vulnerabilities are remediated first?” The BOD 26-04 framework provides a defensible answer to this question.

Board-level accountability is driving demand for risk-exposure metrics over activity metrics. Directors and officers are increasingly held responsible for cybersecurity governance. A board that gets told “We patched 50,000 vulnerabilities this quarter” cannot assess the impact of patching those 50,000 vulnerabilities on the organization’s risk posture. In contrast, a board that hears “100% of our three-day-tier vulnerabilities were remediated within timeline, and our publicly exposed attack surface decreased by 15%” can make informed governance decisions.

Regulatory direction across sectors (financial services, healthcare, critical infrastructure) is moving toward risk-based frameworks. BOD 26-04 is the federal government’s version, but the underlying principle (prioritize based on real-world risk, not theoretical severity) is appearing in sector-specific regulations and standards. Organizations that adopt risk-exposure metrics now will be better positioned for whatever regulatory framework comes next.

How security leaders can prepare for BOD 26-04 compliance

The 180-day compliance deadline for BOD 26-04’s remediation timelines is approximately December 2026. But the reporting transformation should start immediately, because the directive’s policy update requirement is already in effect. Five actions will position security leaders for success:

1. Audit your current reporting against the four-variable model. Review your existing vulnerability management dashboards and board reports. If they measure patching volume without distinguishing between risk tiers, they do not satisfy BOD 26-04’s accountability requirement. Identify which of the new KPIs (BOD tier compliance, KEV coverage, exposure reduction, forensic triage rate, deferral justification) your current tooling can produce and which require new capabilities.
2. Establish the data foundation for risk-exposure reporting. The four-variable model requires knowing, for every vulnerability on every asset: 

• Is the asset publicly exposed? 
• Is the CVE in the KEV? 
• Is the exploit automatable? 
• Does it yield total or partial control? 

Organizations that cannot answer these questions continuously cannot comply with BOD 26-04 or produce the risk-exposure metrics it demands. Tenable One provides this continuous, four-variable data foundation through integrated attack surface management, KEV integration, and Vulnrichment data consumption.

3. Build the audit trail now, not at the 180-day mark. Every prioritization decision your organization makes from this point forward should be documented with the four-variable assessment. When auditors or program managers ask, “Why was this vulnerability deferred?” the answer needs to be recorded, time-stamped, and traceable to the variable states at the time of the decision.
4. Adopt the two-metric board communication model. The six operational KPIs outlined above serve the security team. For board and executive communication, Tenable’s research points to a simpler two-metric framework: 
5. Monitoring coverage breadth, the proportion of the organization’s attack surface under active observation, as the leading risk indicator. Coverage breadth assesses whether the organization can see its risk. 
6. Risk-tier remediation rate, the percentage of high-risk vulnerabilities remediated within their BOD-applicable timeline, as the trailing performance indicator. Remediation rate measures whether the organization is acting on what it sees. 

Both metrics are necessary; neither alone is sufficient. A board member who sees these two numbers over time can assess whether the security program is actually reducing exposure or just optimizing within a shrinking field of view.

5. Prepare the transition gradually. If your current board reporting covers patching counts and CVSS distributions, begin layering risk-exposure metrics alongside the traditional ones rather than replacing them overnight. Board members should begin seeing the language of BOD 26-04 (actively exploited vulnerabilities, publicly exposed assets, remediation by risk tier) in their regular reporting so that the shift is gradual and grounded in context, not abrupt and disorienting.

Moving from activity to accountability

The shift from patching metrics to risk exposure metrics is not a federal compliance exercise. It is the direction in which the entire cybersecurity industry is moving, driven by the reality that volume-based vulnerability management no longer reflects actual risk. 

Tenable’s analysis of customer telemetry demonstrates that monitoring coverage breadth is the stronger predictor of risk posture, and independent research from Cyentia, XM Cyber, and CISA converges on the same conclusion through different methodologies and datasets. 

BOD 26-04 has formalized this shift for federal agencies. The organizations that adopt the BOD 26-04 directive first, regardless of sector, will be the ones best positioned to demonstrate that their security programs are reducing real-world risk, not just closing tickets.

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.

Learn more about Tenable One, the exposure management platform for the modern attack surface.

Learn more

• CISA BOD 26-04: Prioritizing security updates based on risk
• CISA BOD 26-04: Frequently asked questions (Tenable)
• Improving precision in CTEM: How continuous controls validation in Tenable One transforms exposure management