
Product Talk – CISA's BOD 26-04 Directive Explained, E26
From Autonomous IT by Automox
June 11, 2026 · 27 min · Episode 26
About this episode
The episode discusses CISA's BOD 26-04 directive and its implications for patch management and cybersecurity.
CISA's BOD 26-04 replaces severity-based patching with an exploit-evidence model and remediation clocks as short as three days, fleet-wide, no exceptions. Peter Pflaster and Jason Kikta unpack the four urgency signals, the 16-row decision tree, and the shift from "justify the patch" to "justify why you can't." They also cover what it means for contractors, cyber insurance, and the future of Patch Tuesday. If you own patching or vulnerability management, start here.
People in this episode
Guests: Peter Pflaster, Jason Kikta
Topics covered
- CISA
- patch management
- vulnerability management
- cybersecurity
- exploit-evidence model
Keywords
- CISA
- BOD 26-04
- patching
- vulnerability management
- cyber insurance
- Patch Tuesday
Mentioned in this episode
Organizations: CISA, Automox
More episodes of Autonomous IT
- Patch [FIX] Tuesday – [Nothing Weaponized, Everything Exposed], E33 · June 9, 2026 · 24 min
- Patch [FIX] Tuesday – [AI Hits the Hat Trick], Ep. 32 · May 12, 2026 · 34 min
- Patch [FIX] Tuesday – [Emergency Episode: DirtyFrag Exploit Before Patch], Ep. 31 · May 8, 2026 · 11 min
- Autonomous IT, Live! The Math of Modern Attacks, E07 · April 28, 2026 · 33 min
- Secure IT – Claude Mythos: AI Vulnerability Hype vs. Evidence, E23 · April 23, 2026 · 8 min
- Patch [FIX] Tuesday – April 2026 [Double Feature: SQL Another Day + XSS Never Dies], E30 · April 14, 2026 · 8 min
Explore listener stats, chart rankings, contacts and more on the Autonomous IT podcast page.