Humans are the Loop: What BOD 26-04 Leaves Unaddressed
.png)
CISA's BOD 26-04 is a better, but imperfect, framework for vulnerabillity prioritization
It still misses the human factors that determine successful identification, triaging, and remediation.
CISA’s new binding operational directive outlines a change from patch-as-panacea to risk-based prioritization for federal vulnerability management. By adopting a four-variable triage framework, it advances how vulnerabilities are identified and prioritized for remediation. The directive, however, does not account for the people and organizational structures that execute those remediation decisions.
Instead of focusing on whether a patch has been released, CISA’s new Directive considers whether the vulnerable asset is exposed to the internet, whether the vulnerability is actively being exploited, whether that exploitation is automated, and whether the exploitation grants control of the system.
The highest-risk combinations require remediation within three days, with forensic triage required where the directive calls for agencies to determine whether compromise has already occurred.
The directive inherits the same assumption that has defined vulnerability management for decades. At its core, remediation is defined and understood as a technical pipeline. That pipeline is blocked primarily by prioritization failures. Fix the prioritization logic and the pipeline clears. BOD 26-04 improves that prioritization logic. The remaining issue is that it leaves implementation questions unaddressed. It doesn’t consider who runs the pipeline, what cognitive load they carry, or what happens when a three-day deadline arrives at the end of a quarter inside an agency operating under reduced capacity due to recent layoffs and/or competing demands. Even with the introduction of AI to vulnerability and patch management, we must recognize that humans aren’t just in the loop; they are the loop.
While the directive reduces reliance on KEV status, it still depends on agencies being able to identify exposed assets, determine exploitability, assess technical impact, and enumerate affected systems quickly enough for the timeline to matter. For zero-days or fast-moving exploitation, the practical problem is not only the formal remediation clock. It is whether the agency can make those determinations while exploitation is unfolding.
Humans are the Loop
As AI systems are adopted and adapted to cybersecurity, there remain many questions about how much these systems can be trusted. This is typically framed in terms of ‘Human-in-the-loop’ or continua of control based on system operations.
The directive’s logic is sound as a decision framework. Remediation is modeled as a technical pipeline that is simplified once prioritization improves. BOD 26-04 addresses the prioritization input. However, it doesn’t address how SOC analysts and organizational leadership interpret and act on the information in real-world conditions.
This creates a significant implementation issue because vulnerability remediation is not a single technical event. It is a sequence of human decisions distributed across time, completed by those in different roles, within organizational time and human resource limitations. The analyst who receives the alert must judge its context. The team lead must allocate people and change windows. The CISO must authorize exceptions or escalations. Each of those steps requires deliberate cognition, performed by someone whose capacity to process and act is bounded, and whose environment can be actively hostile to the speed the directive demands.
A three-day remediation window on the highest-risk category sounds achievable in isolation. In practice, it is processed by organizations that are managing staff reductions, competing project deadlines, and incident queues already measured in weeks. The 43-day median remediation time cited in the 2026 Verizon DBIR is a measurement of organizations whose people cannot clear the queue at the speed the threat requires, regardless of how well the queue is sorted.
Getting to Know Your OODA Loop
BOD 26-04's prioritization framework focuses on one major decision point: how urgency is defined and what events should be prioritized. It does not address what follows.
The OODA loop provides one means to capture cybersecurity-relevant decision-making at a high level. Developed for air combat decision-making, it assumes that an analyst progresses through a cycle defined by Observation, Orientation, Decision, and Action. While imperfect, it can be applied to cybersecurity to understand how defenders can respond faster to attacks. When defenders can get ‘inside the attacker’s OODA loop’, they can halt attacks.
The problem with OODA loop adoption in cybersecurity is that practitioners often underestimate the importance and demands of the Orientation phase, which has downstream effects on decision and response. Orientation requires application of mental models and frameworks to real-world events. Two analysts observing the same alert need not orient the same way due to differences in workload and system familiarity. Moreover, the timelines do not necessarily align with human capabilities, and have been described by some early commentators as “aggressive, bordering on unrealistic.”
BOD 26-04 should improve the Observe phase by standardizing and sharpening what gets flagged and its perceived urgency, if only marginally. It does not address Orientation. The directive tacitly assumes that once alerts are prioritized, analysts will make sense of the information, effectively skipping a step. This works when analysts have deep familiarity with the affected systems, expertise, and normal cognitive load. But these conditions are rarely found in real operational environments.
What BOD 26-04 Leaves Unaddressed
As a high-level framework, organizations cannot expect BOD 26-04 to address the organizational and analyst decision-making processes. Organizations must therefore address orientation, decision-making, and response themselves by equipping employees with the right training, tactics, and tools:
Cognitive load at key decision points
Vulnerability queues are not experienced as ordered lists. They arrive as a stream of alerts across multiple tools, alongside incident tickets, change requests, and escalations from other parts of the organization. The analyst working a three-day window on a high-priority vulnerability is doing so inside that stream. Research on decision-making under cognitive load demonstrates that high-load conditions produce narrower attention, increased reliance on heuristics, and higher rates of error on tasks that require contextual judgment. Prioritization logic that correctly identifies what needs to be patched first does not reduce the cognitive cost of executing that patch under those conditions.
Organizational capacity under specific deadlines
The three-day window described in BOD 26-04 is a compliance requirement. Whether an agency can meet it depends on staffing levels, change management processes, system dependencies, and whether the affected asset owner is reachable and cooperative. None of those variables appear in BOD 26-04's framework. The framework therefore implies that organizations must always maintain this capability or coordinate with others who do. An agency running at reduced capacity due to workforce restructuring and re-skilling faces the same three-day requirement as one at full strength.
Expertise distribution across remediation chains
The forensic triage requirement for highest-risk vulnerabilities assumes that the agency can execute a competent triage within the remediation window. However, forensic triage is a specialized skill. It requires not just tooling but experienced analysts who know what compromise evidence looks like in context. This expertise is not evenly distributed across federal agencies. CISA's own history also demonstrates this issue. Following workforce reductions that reduced the agency from 3,400 to ~2,300 employees between early 2025 and early 2026, it recently announced plans to hire 300 new staff. New hires require time to adapt to organizational workflows, develop relationships with stakeholders, and build situational awareness.
BOD 26-04 establishes a compliance standard that organizations must meet through their internal processes. The directive does not require agencies to demonstrate that their remediation capacity matches the timelines it defines. It does not address how agencies with limited forensic expertise should obtain it, whether through shared services, contractor support, or inter-agency coordination. And it does not specify what happens when an agency cannot meet the three-day window, beyond the implication of non-compliance.
Aligning Organizational Operations and Strategy to the Directive
Despite these issues, BOD 26-04 represents a step in the right direction. Organizations inside and outside the federal government should treat this as a clear signal of renewed attention to how vulnerability management will be perceived going forward. The four-factor model is a better basis for risk-based remediation than CVSS alone, and the compressed timelines for highest-risk cases reflect a more realistic pace of AI-assisted exploitation.
Implementation questions remain in terms of whether organizations that adopt this model are structured to execute it reliably:
Map the Remediation Chain
For each of the four risk tiers in BOD 26-04, identify who receives the alert, who makes the remediation decision, who executes the patch, and who performs forensic triage if required. In large organizations, this will likely require identifying key roles, ensuring they are staffed accordingly. Competency-based assessments and situational awareness tasks should be performed at regular intervals to ensure that each person in the chain is aware of their role in remediation. Where possible, run a tabletop exercise based on the three-day window using a realistic organizational scenario, including reduced staffing and novel threats.
Define and Characterize Conditions of Cognitive Load
Identify which roles in the remediation chain carry the highest concurrent workload and what conditions cause that load to spike. Vulnerabilities will differ based on organizational procedures, but shift changes, end-of-week, quarter- and year-end activities are principled starting points. Organizations must also be prepared for attacks that occur during active incidents, whether orchestrated by the same attack group or coincidental. Designing escalation and decision handoff procedures for those conditions is necessary to ensure that BOD 26-04 can be implemented effectively.
Organizations should also map the asset exposure determination step specifically. Identifying whether an asset is publicly reachable is deceptively difficult in environments with complex, overlapping firewall rules, cloud integrations, and legacy infrastructure. These decisions are often made within similar time pressures as the remediation itself, by analysts without full visibility into the network. It is a high-load decision point that requires its own separate processes.
Be Honest About Organizational Triage Capabilities
If your organization cannot reliably triage within a three-day window with available staff, acknowledge this limitation. Even if BOD 26-04 is not applicable to your organization, the discrepancy between staffing realities and needs must be addressed.
Shared services and inter-agency support arrangements are one mechanism for reducing the forensic gap. CISA's own capacity to assist agencies directly is critical here, and changes to that capacity, whether through workforce restructuring or hiring, affect what the federal ecosystem can realistically deliver against these timelines.
The federal support reduction also has downstream consequences for state and local governments. CISA's Cybersecurity State Coordinators and Regional Cybersecurity Advisors have historically served as the connective tissue between federal directives and sub-federal implementation. However, CISA's work with state and local governments has been impeded due to force reductions, the elimination of CIPAC, the withdrawal of federal funding for MS-ISAC, and Congress's failure to reauthorize the State and Local Cybersecurity Grant Program. Although organizations outside the federal civilian executive branch are not formally impacted by BOD 26-04, the reduction in support infrastructure that helped smaller governments approximate federal standards has significantly contracted.
Frameworks like BOD 26-04 provide a useful point of reference and a standard to compare against. They are not designed to address the organizational mechanisms required for their implementation. Research on national cybersecurity strategy frequently notes the discrepancy between a principled directive and unaddressed issues related to workforce development, governance, and capacity questions that determine whether those objectives are met.
BOD 26-04 is a better framework than what it replaces. Whether it produces better outcomes depends on how organizations support their human loop.
What is feature engineering
In practice, feature engineering is both science and a bit of witchcraft. It often involves both iteration and experimentation to uncover hidden patterns and relationships within the data. For instance, a data scientist might transform raw sales data into features such as average purchase value, purchase frequency, or customer lifetime value, which can significantly boost the performance of a churn prediction model. By thoughtfully engineering features, practitioners can provide machine learning models with the most informative inputs, ultimately leading to better accuracy and more robust predictions.
What’s more?
- Incorporate more and more data sources
- Feature engineering platform
What is data engineering
As we mentioned above, feature engineering is certainly a subset of data engineering. It involves the ingestion of data from a source, applying a series of transformations, and making the final result available to be queried by a model for training purposes. You can construct feature engineering pipelines to resemble data engineering pipelines, having schedules, specific source and sink destinations, and availability for querying. However, this configuration would only really apply once you have surpassed the experimentation stage and determined a need for a consistent flow of new feature data.
What is feature engineering
1. Functions
Functionally, there is nothing to differentiate data vs features - data points (link). Where feature engineering and data engineering really differ is in the objectives and motivations for constructing the pipelines. In general, data engineering serves a broader, more unified purpose than feature engineering. Data engineering platforms are constructed to be flexible and universal, ingesting various types and sources of data into a unified storage location where any number of transformations and use cases can be applied. The intent of a well constructed fact table or gold layer in a data lake is to provide a single source of truth that answers many different questions, produces many reports, and can be consumed by many downstream customers.
2. Practise
And in practice, an organization’s data engineering team will be responsible for the curation and maintenance of all data pipelines, not just those that relate to machine learning. These pipelines may power BI dashboards used by C-Suite, auditing reports that feed payroll, or event logs that show a user’s history of actions within the application.
Feature engineering, on the other hand, serves a specific purpose, finding the tailored inputs and columns that will generate the best predictive results for a machine learning model. Data scientists and machine learning engineers are not tasked with developing a universal data model that will ingest all data points throughout an organization, they just need to select, curate, and clean the data needed to power their models.
3. Machine learning
Now, as machine learning teams grow and begin to incorporate more and more data sources into their models, their feature engineering platform may start to resemble a larger data engineering platform in the tools and methodologies they employ. But, the intent is not to establish flexible data models that can be used throughout the organization - it is simply to power their machine learning models.
