U.S. agencies get three days to fix critical cyber flaws

Federal civilian agencies now have only three days to fix the most dangerous cyber flaws, a drastic compression of the government’s patching timeline that puts operations teams on crisis footing. The new Cybersecurity and Infrastructure Security Agency directive requires agencies to fix, disable or remove vulnerable software and equipment from the internet within three calendar days when the flaw is severe enough, a deadline aimed at exposures hackers can weaponize at speed.

The policy is built around a tiered model rather than a single universal clock. Less severe problems, including flaws that are harder to automate or do not involve publicly exposed infrastructure, get more time. In an initial analysis at one large civilian agency, CISA said only 1% of vulnerability instances would fall into the three-day category, while more than 60% could be deferred until the next system upgrade. That means the order is designed to concentrate scarce labor on the smallest slice of the highest-risk systems, not to force every office into the same emergency schedule.

The directive also builds on an existing federal patching regime. Binding Operational Directive 22-01, issued on November 3, 2021, created CISA’s Known Exploited Vulnerabilities Catalog, the agency’s authoritative list of vulnerabilities exploited in the wild. Federal civilian executive branch agencies are already required to remediate KEV-listed vulnerabilities within prescribed timeframes. The new order tightens the fastest end of that system, shrinking the gap between disclosure and remediation for the flaws CISA believes pose the greatest immediate danger.

Chris Butera, CISA’s senior technical director for the Cybersecurity Division, said the agency is responding to a new reality in which artificial intelligence helps attackers scan, prioritize and exploit weaknesses faster than defenders can patch them. Butera has more than 20 years of cybersecurity and IT leadership experience, and he described the directive as an initial step to counter the increased capabilities of emerging AI models. The message from Washington is clear: agencies can no longer assume they have weeks to respond once a critical weakness is exposed.

CISA has been widening that AI focus across its cyber guidance. Its materials on artificial intelligence stress secure-by-design practices and AI red teaming, and it recently released guidance with the National Security Agency’s Artificial Intelligence Security Center, the Australian Signals Directorate’s Australian Cyber Security Centre and other partners on the careful adoption of agentic AI services. The agency also continues to point agencies to SSVC, a prioritization framework it co-developed in 2019 with Carnegie Mellon University’s Software Engineering Institute. Taken together, the new three-day rule shows a federal posture shifting toward faster, risk-based cyber defense as AI accelerates both the hunt for flaws and the effort to exploit them.