CISA Slashes Critical Bug Patch Deadline to 3 Days

Get the Tech newsletter
Daily tech — startups, AI labs, chips, the launches that shape the next decade. Free.
- CISA released a new binding operational directive requiring federal civilian agencies to patch the most critical software vulnerabilities within three days, down from the 15-day deadline set in 2019 and 2021 directives.
- The directive's urgency rubric uses four criteria — public exposure, listing in CISA's Known Exploited Vulnerabilities Catalog, whether exploitation can be fully automated, and the access level an attacker would gain — and a bug meeting all four triggers the three-day turnaround plus a mandatory forensic triage for compromise.
- Chris Butera, CISA's acting executive assistant director for cybersecurity, said AI now lets threat actors 'find and exploit vulnerabilities' in federal assets far faster, adding that 'defenders cannot afford to take weeks to patch systems that can be autonomously exploited en masse.'
- Butera defended the three-day floor over a 24-hour mandate, noting federal cybersecurity still 'lags' due to funding shortfalls and competing priorities that would make shorter deadlines infeasible for most agencies.
- CISA's own 2021 data showed 42% of known exploited vulnerabilities are weaponized on day 0 of disclosure, 50% within two days, and 75% within 28 days, underscoring the pre-AI baseline speed that motivated the revised timeline.
- Emily Long, CEO of cloud security firm Edera, called the directive 'half the challenge,' arguing patching alone is insufficient and that architectural containment — limiting what an attacker can reach post-breach — must complement faster remediation.
- Butera framed the directive as 'an initial step to counter the increased capabilities of emerging AI models,' signaling CISA views further structural measures as still forthcoming.
Why it matters: Federal civilian agencies now face a fivefold compression of their critical-patch window — from 15 days to 3 — which forces security teams to triage and remediate against the same four-factor urgency rubric, with non-compliance effectively mandated through a binding operational directive. The shift acknowledges that AI-assisted vulnerability discovery and automated exploitation are shrinking the defender's window faster than staffing and budgets can scale to match.




