The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a new directive requiring federal agencies to patch certain security vulnerabilities within three days. The accelerated timeline responds to the growing threat posed by artificial intelligence tools.
CISA officials warned that attackers can now exploit weaknesses faster than ever. One official stated on Wednesday that defenders cannot afford to take weeks to patch vulnerabilities in the current threat landscape.
The directive applies to bugs that are actively exploited or pose significant risk to national security. Agencies must now implement fixes for these critical flaws within 72 hours.
The decision marks a shift from previous patching timelines, which often allowed 15 to 30 days. The change reflects the speed at which AI-powered cyberattacks can spread once a vulnerability is disclosed.
Federal agencies will need to streamline internal processes to meet the new deadlines. This includes improving communication between security teams and systems administrators.
The directive also strengthens reporting requirements. Agencies must notify CISA immediately when they identify vulnerabilities meeting the new criteria.
CISA continues to update its binding operational directives as the threat environment evolves. The agency expects organizations to adapt their security practices accordingly.
Experts note that private sector companies may also benefit from adopting similarly aggressive patching timelines. The directive sets a new standard for cybersecurity responsiveness across all sectors.
