In June 2026, the U.S. government stopped using severity scores to decide what to patch first. The model that replaces it is better, but it asks a question most security programs cannot yet answer.

On June 10, 2026, CISA issued Binding Operational Directive 26-04, “Prioritizing Security Updates Based on Risk.” On its surface it is a federal patching mandate. Read more closely, and it is something larger: the first time a government has formally retired the Common Vulnerability Scoring System as the basis for deciding what to fix. By revoking the older directive that required it, the federal civilian branch no longer mandates CVSS for vulnerability prioritization at all. One veteran practitioner called it, simply, “the death of CVSS as federal policy.”

This matters far beyond Washington. The previous directive’s Known Exploited Vulnerabilities (KEV) catalog became the most widely adopted prioritization signal in the world, used by enterprises and governments never bound by it. The new four-variable model will likely follow the same path. The question BOD 26-04 raises is now yours too.

Why the number had to go

CVSS was never designed to be a prioritization engine. It describes the theoretical severity of a vulnerability in the abstract, independent of where it lives or whether anyone can actually reach it. A CVSS 9.8 on an air-gapped lab box and a CVSS 9.8 on an internet-facing identity provider look identical to the score. They are not remotely the same risk.

That mismatch was tolerable while the volume was. It is no longer either.

Those figures come from the 2026 Verizon Data Breach Investigations Report. Read together, they show remediation getting slower at exactly the moment threats are accelerating, with AI compressing the time from disclosure to weaponization from weeks to hours. When the window to act is measured in hours and your median response in weeks, sorting that backlog by a context-free severity score is not prioritization. It is compliance theater. That is the gap BOD 26-04 was written to close, and the gap Picus was built to close.

What replaces it: four questions that matter

The new model is built on CISA’s Stakeholder-Specific Vulnerability Categorization (SSVC) framework: a decision tree that asks four binary questions about every vulnerability instead of assigning it a number.

The combination determines the deadline, on a graduated ladder rather than one flat timeline:

That last tier is the quiet revolution. The old model treated every cataloged vulnerability as urgent; the new one gives teams explicit permission to wait on the ones that do not matter. In one early federal analysis, only about 1% of vulnerability instances landed in the three-day bucket, while more than 60% qualified for deferral. The doctrine, in four words, is patch less but better. It is the model Picus has argued for, and built around, for years.

But there is a catch most of the coverage has glossed over, and it separates a program that looks ready for this model from one that actually is.

The harder question hiding inside the model

Three of the four variables come pre-answered. CISA publishes exploitation status, automatability, and technical impact for every CVE through its Vulnrichment program, as general attributes of the vulnerability itself. Those are properties of the CVE, not of your environment. They tell you what a vulnerability could do in principle, not what it would do inside your network, against your controls. And even that data is incomplete: by third-party estimates, Vulnrichment carries SSVC data for only about half of CVEs. Risk-based prioritization that is poorly fed delivers a false sense of control, because a better framework on thin data produces better-looking decisions, not better decisions.

The core problemKnowing a vulnerability is theoretically automatable and grants total control is not the same as knowing whether the exploit chain would actually succeed against the EDR, segmentation, and identity controls you have deployed. One that is automatable in the abstract may be neutralized by a control you already own. Another that looks moderate on paper may be trivially reachable through a misconfiguration the model never sees.

BOD 26-04 tells you which tier a vulnerability belongs to. It does not tell you whether you are actually exposed to it. That is the move from a score to a decision, and it is exactly where Picus operates.

How Picus answers the question the directive cannot

We have a name for the gap the directive exposes:the Exposure Decision Gap. Security teams are not short on findings. They are short on defensible answers about which findings actually matter, here, against these controls, right now. BOD 26-04 makes that gap official policy. Picus closes it, by proving exploitability rather than inferring it from attributes, across the whole environment.

When a new high-impact CVE lands and the three-day clock starts, Picus tells you in minutes whether you are actually exploitable, not in two weeks once an exploit becomes available. The directive’s timelines are dynamic, and the only way to keep pace with a dynamic model is continuous validation.

What to do now, federal mandate or not

BOD 26-04 is a preview of where vulnerability management is going industry-wide. Get ahead of it.

The score is no longer the decision. The decision is what matters now, and Picus is how you prove it.

Picus Security is the pioneer of Breach and Attack Simulation and the exposure validation platform that proves what attackers can exploit and what your defenses stop, turning every exposure into a defensible decision. See how the Picus validation loop closes the Exposure Decision Gap.

The post CVSS Is Officially Dead: What CISA's BOD 26-04 Means for Everyone appeared first on Resources-2.

*** This is a Security Bloggers Network syndicated blog from Resources-2 authored by Süleyman Özarslan, PhD. Read the original post at: https://www.picussecurity.com/resource/blog/cvss-is-officially-dead-what-cisas-bod-26-04-means-for-everyone