Product Talk – CISA's BOD 26-04 Directive Explained, E26

Product Talk – CISA's BOD 26-04 Directive Explained, E26

From Autonomous IT by Automox

June 11, 2026 · 27 min · Episode 26

About this episode

The episode discusses CISA's BOD 26-04 directive and its implications for patch management and cybersecurity.

CISA's BOD 26-04 replaces severity-based patching with an exploit-evidence model and remediation clocks as short as three days, fleet-wide, no exceptions. Peter Pflaster and Jason Kikta unpack the four urgency signals, the 16-row decision tree, and the shift from "justify the patch" to "justify why you can't." They also cover what it means for contractors, cyber insurance, and the future of Patch Tuesday. If you own patching or vulnerability management, start here.

People in this episode

Guests: Peter Pflaster, Jason Kikta

Topics covered

  • CISA
  • patch management
  • vulnerability management
  • cybersecurity
  • exploit-evidence model

Keywords

  • CISA
  • BOD 26-04
  • patching
  • vulnerability management
  • cyber insurance
  • Patch Tuesday

Mentioned in this episode

Organizations: CISA, Automox

More episodes of Autonomous IT

Explore listener stats, chart rankings, contacts and more on the Autonomous IT podcast page.