CISA Mandates Three-Day Patching for US Federal Agencies Amid AI Threats

The US Cybersecurity and Infrastructure Security Agency (CISA) issued a binding operational directive on Wednesday requiring federal civilian agencies to patch critical software vulnerabilities within three days. This accelerated timeline supersedes previous orders from 2019 and 2021, which mandated 15-day and 30-day deadlines for critical and high-urgency vulnerabilities, respectively. The directive is driven by the risk that new artificial intelligence models enable threat actors to discover and exploit vulnerabilities more rapidly and autonomously.

Agencies must prioritise fixes based on a four-point rubric assessing whether the vulnerability is publicly exposed, listed in CISA's Known Exploited Vulnerabilities Catalog, capable of being fully automated by an attacker, and the level of access an attacker would gain. If all four criteria apply, the three-day deadline is mandatory. CISA also requires agencies to conduct a forensic triage to determine if systems have already been compromised when addressing these critical bugs.

Chris Butera, CISA's acting executive assistant director for cybersecurity, stated that the three-day deadline was chosen as a feasible balance, noting that a 24-hour turnaround would not be practical for most agencies. Butera emphasised that the goal is to help agencies prioritise attention on the most at-risk assets, given that advancements in AI allow threat actors to find and exploit vulnerabilities in federal assets with greater speed and scale.

The directive acknowledges that US federal cybersecurity has improved over the past decade but continues to face challenges due to funding shortfalls and competing priorities. In 2021, CISA noted that threat actors exploit vulnerabilities rapidly, with 42% of known exploited vulnerabilities used on day zero of disclosure, 50% within two days, and 75% within 28 days. The new framework aims to address these timelines in an era where AI capabilities are accelerating the pace of cyber threats.

Industry experts have responded with caution, arguing that patching alone may be insufficient. Emily Long, CEO of cloud security firm Edera, commented that while the directive is well-intentioned, it only addresses half the challenge. She argued that architectural changes for containment are equally necessary, stating that if an architecture does not limit what an attacker can reach after a breach, organisations are simply running faster on the same treadmill.

Butera acknowledged this broader perspective, describing the new directive as an initial step to counter the increased capabilities of emerging AI models. He noted that while patching remains important, there is still more work to be done, including the need for systemic architectural approaches to invalidate whole classes of vulnerabilities. The directive represents a significant shift in federal cybersecurity strategy, prioritising speed and precision in response to the evolving threat landscape.