Illustration of a digital shield cracking under AI-powered attacks, with a countdown timer showing 72 hours, symbolizing CISA's new 3-day patch requirement for federal agencies.
Illustration of a digital shield cracking under AI-powered attacks, with a countdown timer showing 72 hours, symbolizing CISA's new 3-day patch requirement for federal agencies.

Business By June

The shift to 3-day fixes reflects how AI changes the speed of cyber threats, useful context for a colleague in tech or policy watching infrastructure risks.

CISA Orders Faster Patching Due to AI Threats Story flow and key facts

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a new binding directive requiring federal civilian agencies to patch critical software vulnerabilities in as little as three days. This change is driven by advances in artificial intelligence that enable attackers to discover and exploit security flaws at unprecedented speed. The directive replaces older timelines—15 days for critical bugs and 30 for high-severity ones—and introduces a four-part urgency rubric based on exposure, exploit automation, access level, and known exploitation status.

Under the new rules, any vulnerability that is publicly exposed, listed in CISA’s Known Exploited Vulnerabilities Catalog, fully automatable by attackers, and grants high-level access must be fixed within 72 hours. Agencies must also conduct forensic triage to determine if a breach has already occurred. The policy supersedes previous directives from 2019 and 2021, reflecting the accelerating threat landscape shaped by AI.

While the directive pushes for faster response, experts note it addresses only part of the challenge. Security leaders like Emily Long of Edera argue that without architectural changes to limit breach impact, faster patching alone won’t be enough. CISA officials acknowledge the directive is an initial step, with more systemic reforms likely needed as AI reshapes cyber defense.

Facts

  • CISA issued a new binding directive requiring federal agencies to patch critical software vulnerabilities in as little as 3 days.
  • The urgency is based on four criteria: public exposure, presence in CISA’s Known Exploited Vulnerabilities Catalog, full exploit automation, and high-level access if exploited.
  • The directive supersedes previous 15-day and 30-day patching timelines from 2019 and 2021.
  • Agencies must also conduct forensic triage to check if systems were already compromised.
  • AI advancements are enabling faster discovery and exploitation of vulnerabilities, prompting the tighter timeline.

Canto visual news explainer. AI tools may assist production. Editorial policy

Related news