CISA Binding Operational Directive (BOD) 26-04 mandates remediation of publicly exposed, highest-risk, known-exploited vulnerabilities within 3 days. The directive introduces a risk-based model prioritizing vulnerabilities based on exposure, KEV status, automation potential, and technical impact.