CISA 于 2026 年 6 月 10 日发布新的 binding operational directive，要求美国联邦文职机构依风险在更短期限内修补软体漏洞。Chris Butera 表示，AI 正让攻击者更快发现并利用 federal assets 的弱点，因此防御者不能再花数周修补可被大规模自动化利用的系统。

新规以 4 项标准评估修补急迫性：系统是否公开暴露、漏洞是否列入 Known Exploited Vulnerabilities Catalog、攻击步骤是否可完全自动化，以及攻击成功后可取得多少存取权。若 4 项皆符合，机构必须在 3 天内修补，并执行 forensic triage，以判定系统是否已遭入侵。

该指令取代 2019 年与 2021 年的修补时限命令；旧框架要求最严重漏洞在侦测后 15 天内修补，另一类高急迫漏洞在 30 天内处理。CISA 2021 年资料显示，在已知遭利用漏洞的 4% 中，42% 于揭露第 0 天被利用，50% 在 2 天内被利用，75% 在 28 天内被利用。Emily Long 认为，修补仍重要，但架构也必须以设计限制入侵后的扩散。

CISA issued a new binding operational directive on June 10, 2026, requiring US federal civilian agencies to patch software vulnerabilities on shorter risk-based timelines. Chris Butera said AI is enabling attackers to discover and exploit weaknesses in federal assets faster, so defenders can no longer take weeks to patch systems that can be autonomously exploited at scale.

The directive uses 4 criteria to assess urgency: whether a system is publicly exposed, whether the flaw appears in the Known Exploited Vulnerabilities Catalog, whether every exploitation step can be automated, and how much access a successful attacker would gain. If all 4 apply, agencies must fix the vulnerability within 3 days and perform forensic triage to determine whether systems were already compromised.

The order replaces 2019 and 2021 patching directives; the older framework required the most critical bugs to be fixed within 15 days of detection and another high-urgency class within 30 days. CISA’s 2021 data said that among the 4% of known exploited vulnerabilities, 42% were used on disclosure day 0, 50% within 2 days, and 75% within 28 days. Emily Long argued that patching remains important, but architecture must also limit post-breach reach by design.