CISA Mandates Accelerated Vulnerability Patching for US Agencies Amid AI-Powered Threat Rise
The Cybersecurity and Infrastructure Security Agency (CISA) has introduced new guidelines that significantly tighten the timeline for federal agencies to address security vulnerabilities, responding to the accelerating pace of cyber threats enabled by artificial intelligence.
Under the new directive, agencies must now remediate critical vulnerabilities within 72 hours—a stark reduction from previous timelines. The agency warns that the emergence of AI-powered attack tools has fundamentally altered the threat landscape, making weeks-long patching cycles untenable.
"Defenders cannot afford to take weeks to patch," a CISA official stated during the announcement. The directive reflects concerns that malicious actors are increasingly leveraging AI to identify and exploit vulnerabilities at unprecedented speeds, compressing what were once months of opportunity windows into days or even hours.
The directive applies to all federal civilian executive branch agencies and establishes a tiered system based on vulnerability severity. Critical flaws require remediation within three days, high-severity issues within 30 days, and medium-severity vulnerabilities within 90 days.
Security experts have broadly welcomed the move, though some note that resource constraints may challenge smaller agencies in meeting the accelerated timelines. CISA has indicated it will provide support and guidance to help agencies meet the new requirements.