CISA Orders 3-Day Patching for Critical Flaws as AI Accelerates Threats

The United States Cybersecurity and Infrastructure Security Agency issued a binding operational directive on Wednesday that dramatically shortens the window federal civilian agencies have to patch critical software vulnerabilities—down to just three days in the most severe cases.

The directive establishes a four-tier assessment framework that agencies must use to evaluate patching urgency. Vulnerabilities meeting all four criteria—publicly exposed systems, inclusion in CISA's Known Exploited Vulnerabilities Catalog, potential for fully automated exploitation, and significant access if compromised—must be remediated within 72 hours. Agencies must also conduct forensic triage to determine if systems have already been breached.

Why it matters

AI models are fundamentally changing the economics of cyberattacks. What once required skilled human analysts to discover and exploit can increasingly be automated at scale. This directive acknowledges that defensive timelines built for the pre-AI era are no longer adequate—but also signals that even aggressive patching may not be sufficient without deeper architectural changes to software security.

Replacing decade-old timelines

The new requirements replace two previous CISA directives from 2019 and 2021 that allowed 15 days for the most critical vulnerabilities and 30 days for high-urgency flaws. Even under those older standards, CISA noted in 2021 that 42 percent of exploited vulnerabilities were being used on the day of disclosure, with half exploited within two days.

Chris Butera, CISA's acting executive assistant director for cybersecurity, told reporters the directive aims to help agencies prioritize limited resources on the most dangerous exposures first. "Defenders cannot afford to take weeks to patch systems that can be autonomously exploited en masse," Butera said, according to details first reported by WIRED.

The three-day deadline for top-tier vulnerabilities represents a balance between urgency and operational reality. Butera acknowledged that federal agencies face funding constraints and competing priorities that would make even shorter timelines impractical.

Beyond patching

Security researchers are increasingly concluding that accelerated patching alone won't solve the problem AI-enabled attacks create. Emily Long, CEO of cloud security firm Edera, argued that organizations need architectural approaches that limit what attackers can access after an initial breach. "If your architecture doesn't limit what an attacker can reach after a breach, you're just running faster on the same treadmill," Long said.

Butera appeared to acknowledge this reality, describing the directive as "an initial step to counter the increased capabilities of emerging AI models" while noting "there is still more work to do."

The directive reflects growing recognition across government and industry that AI is fundamentally reshaping the vulnerability lifecycle—compressing the time between disclosure and exploitation while potentially expanding the pool of actors capable of mounting sophisticated attacks.

WIRED first reported the details of CISA's new binding operational directive.