Read PRO-06 in the June 2026 ISM and notice which words are doing the work.
Three words that a severity-threshold patching policy cannot satisfy.
Validated. A scanner result is a claim, not a finding. Validation means establishing that the vulnerability is real and reachable in your environment — not that a version string matched a CVE database.
Prioritised. Prioritisation requires a basis. If the basis is a CVSS band, the priority is a property of the vulnerability, identical for every organisation on earth. That is not prioritisation. It is transcription.
Verified for effectiveness. Not “patch applied.” Verified. By what, and from where?
The ISM already tells you what to prioritise on
Look at the patching controls and the word that keeps appearing:
- ISM-1876: patches for vulnerabilities in online services applied within 48 hours when assessed as critical by vendors or when working exploits exist.
- ISM-1877: patches for operating systems of internet-facing servers and internet-facing network devices applied within 48 hours under the same conditions.
- ISM-1695: the same class of flaw on non-internet-facing systems — one month.
The variable separating 48 hours from a month is not severity. It is exposure. ASD has priced internet-facing exposure at roughly fifteen times the urgency of the identical vulnerability behind the perimeter.
Which raises the obvious question, and it is not a technical one: which of your services are internet-facing?
Not what the CMDB records. What is reachable, today, from outside. If you cannot answer that with confidence, you cannot apply ISM-1876 or ISM-1877 at all — you are simply guessing which queue each vulnerability belongs in, and reporting the guess as a control.
The exploitation condition, and what it demands
Both 48-hour controls trigger on critical severity or when working exploits exist. That second condition is not something your scanner knows. It is threat intelligence — and the ISM says so elsewhere, in IDE-04: risks are identified including by using current strategic and sector-specific cyber threat intelligence.
There is also a control most Australian organisations have never operationalised:
ISM-1921
- The likelihood of system compromise is frequently assessed when working exploits exist for unmitigated vulnerabilities.
Not “patch it.” Assess whether you have already been compromised. That is a fundamentally different posture — and it presumes you know which of your assets the exploit could actually reach.
Washington reached the same conclusion, and put a number on it
On 10 June 2026, CISA issued Binding Operational Directive 26-04, superseding and revoking BOD 22-01 and BOD 19-02. In revoking BOD 19-02, it removed the requirement for US federal agencies to use CVSS for prioritisation at all.
What replaced it is the Stakeholder-Specific Vulnerability Categorization methodology — SSVC, developed by Carnegie Mellon’s CERT/CC with CISA and published for years. Nothing about the methodology is new. What is new is who answers which question. The four decision points are:
- KEV Status — is it being exploited?
- Exploit Automation — can exploitation be automated?
- Technical Impact — partial or total control?
- Asset Exposure — is the asset publicly exposed?
CISA publishes the first three for every CVE through its Vulnrichment program. They are properties of the vulnerability, identical for everyone. Asset Exposure is the exception. It is a property of your estate, and the directive points agencies to CISA’s Internet Exposure Reduction Guidance and tells them to work it out themselves.
Agencies must also, quarterly or on request, attest their publicly exposed IP addresses and domain names through CISA’s Cyber Hygiene scope-change process. An inventory is what you believe. An attestation is what you are prepared to sign — against an external reality CISA independently scans.
Be honest about the limits: Vulnrichment carries SSVC data for only around half of all CVEs by third-party estimate, and the three supplied decision points describe what a vulnerability could do in principle, not against your segmentation and identity architecture. A better framework fed thin data produces better-looking decisions, not better ones.
What June and July actually demonstrated
June 2026 added 23 vulnerabilities to the KEV catalogue, six of them zero-days, with CVSS scores running as low as 5.8.
Hold a 5.8 against a conventional Australian SLA. It is a medium. It sits in a thirty-day queue behind a stack of nines nobody is exploiting. It is being exploited in the wild today, and the policy has correctly, defensibly and catastrophically deprioritised it. That is not an execution failure — it is the model working exactly as designed, on the wrong variable. PRO-06 asks for validated and prioritised. A CVSS band is neither.
The affected products make the point again: SimpleHelp, Ivanti Sentry, Check Point Security Gateway, Cisco Unified Communications Manager, Ubiquiti UniFi OS, Lantronix EDS5000, Oracle PeopleSoft, Splunk Enterprise, SolarWinds Serv-U. July continued it — SharePoint on 1 July, Langflow and two Joomla page-builders on 7 July.
Remote access. Edge appliances. Internet-facing platforms. Not the exotic — the reachable.
The legacy principle nobody quotes
GOV-14 — Legacy system management: systems not capable of meeting cyber security requirements are managed using compensating controls, along with enhanced monitoring and assurance activities, to maintain an acceptable level of residual risk until they can be decommissioned or replaced.
Set that beside the Telstra outage of 8 July 2026 — a nationwide failure the carrier attributed to a software defect affecting time synchronisation across nodes in its Sydney and Melbourne data centres, with its own chief financial officer conceding the company did not know why. Whatever the final finding, a principle covering exactly that risk class already existed. The guidance was not missing. The inventory was.
The question for a board
When the CISO reports that critical vulnerabilities are remediated within SLA, there is now a follow-up, and it is not technical:
For how many of our assets could we attest to the exposure status — and what happens to our remediation queue if we assume the unknown ones are exposed?
PRO-06 asks for validation, prioritisation and verified effectiveness. Each of the three needs an input the severity score does not contain, and that internal tooling cannot produce.
But ISM-1921 — assess the likelihood of system compromise when working exploits exist — has no Essential Eight mapping. And ISM-2118, added in June 2026, requiring vulnerability assessments and penetration tests before deployment, before significant changes, and at least annually thereafter, has none either.
The Essential Eight measures whether you patched. It does not measure whether you were already compromised, or whether anyone has independently assessed you. The arithmetic is here.
Sources & references
- ASD — Information security manual, June 2026 (PRO-06, GOV-14, IDE-04, ISM-1695, ISM-1876, ISM-1877, ISM-1921, ISM-2118)
- CISA — BOD 26-04 (10 June 2026): SSVC decision points; quarterly Cyber Hygiene exposure attestation
- CISA — BOD 26-04 Implementation Guidance (Vulnrichment; revocation of BOD 22-01 and BOD 19-02)
- GuidePoint Security — three decision points supplied; the agency owns exposure; unknown exposure defaults to exposed
- VulnCheck — Vulnrichment SSVC coverage reaches only ~45.8% of CVEs
- HiveForce Labs — CISA KEV catalogue, June 2026 (23 additions, six zero-days, CVSS from 5.8)