Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

The 2026 Ratings Algorithm Update (RAU26) is coming!

Erin Conry

Changes to the ratings algorithm from the 2026 Ratings Algorithm Update (RAU26) will take effect on July 16, 2026, and include:


For the three months prior to the RAU, starting April 16th, 2026, users will have access to preview dashboards to understand how the coming RAU may impact their or their portfolio’s ratings and risk vector grades.

DMARC Becomes Rating-Impacting

With RAU26, the DMARC risk vector will become rating-impacting, adding to Bitsight’s assessment of email security and spoofing risk. The DMARC risk vector was released in April 2024 as an ungraded, non-rating-impacting (informational) risk vector, becoming a graded risk vector in early 2026.  

Currently, the Bitsight rating includes SPF and DKIM. DMARC enforcement and alignment will also now be included in the rating to better reflect whether organizations have implemented effective controls to prevent email spoofing and phishing.

Key details:

  • DMARC enforces alignment between SPF and DKIM.
  • Email spoofing and phishing remain common breach entry points, and DMARC directly measures whether preventative controls are in place.
  • Like SPF and DKIM, DMARC will have a risk vector weight of 1%. 
    • In turn, the weight of Compromised Systems will decrease from 27% to 26%.

Critical Vulnerability Management (CVM) 

RAU26 introduces improvements to how vulnerability risk is reflected in the rating, through updates to the current Patching Cadence risk vector. This risk vector will be renamed Critical Vulnerability Management, and is also undergoing a methodology change

These changes are designed to better align risk vector grades and Bitsight ratings with real-world risk with vulnerability prioritization based on an improved balance of severity and duration. 

For SPM customers, a preview of Critical Vulnerability Management grade is already available in the application. It shows users which of their current Patching Cadence vulnerabilities would have the most impact when the new algorithm takes effect. 

Key changes:

  • High-severity vulnerabilities have a more significant, faster impact on grades.
  • Long-running low-severity findings have reduced effects.
  • Scores better reflect absolute vulnerability risk.

As part of this update, CVSS scores will also be refreshed across the board to ensure consistency and accuracy. For more information, see here for Frequently Asked Questions. 

SPF and DKIM Default Grades for Entities with No Domains

RAU26 will reflect a change in how email-focused risk vectors are handled for entities that do not have any associated domains.

Currently:

These defaults can be overly punitive for entities without email-sending activity (for example, a subsidiary that does not itself send email). Please note that this is already in effect for DMARC; the default grade for all cases of insufficient gradable data is N/A. 

With RAU26:

  • If an entity has no associated domains: the email risk vectors will receive a letter grade of N/A.
    • An N/A grade is non-punitive and functions the same as a perfect grade for the risk vector.
  • If an entity does have domains: grading will continue as it does today, including the existing default grades.
Was this article helpful?
2 out of 2 found this helpful
Return to top

Related articles

Feedback

0 comments

Please sign in to leave a comment.