CISA has issued a revised Binding Operational Directive compressing federal patch windows for high-severity Known Exploited Vulnerabilities to 3 days. Federal civilian executive branch agencies, covered contractors, and FedRAMP-authorized cloud service providers must immediately audit patch management workflows against the new timelines. The directive’s BOD number and specific timeline figures are pending source verification against the official text.