CISA Orders Faster Patching for US Agencies Over AI Threats

The Cybersecurity and Infrastructure Security Agency (CISA) is tightening its vulnerability disclosure rules, telling US federal agencies to patch critical security flaws in as little as three days. The directive responds to the accelerating pace of cyberattacks, particularly those leveraging artificial intelligence tools. “Defenders cannot afford to take weeks to patch,” one CISA official warned on Wednesday.

The new guidance marks a significant acceleration from previous timelines, which often allowed agencies weeks to remediate vulnerabilities. CISA officials argue that AI-powered attacks are evolving faster than traditional defenses, making rapid patching essential to national security. The directive applies to all civilian federal agencies under CISA's purview.

Under the updated binding operational directive, agencies must now address critical vulnerabilities within three days of disclosure, high-severity flaws within seven days, and medium-severity issues within 30 days. Previously, critical bugs carried a 15-day remediation window. Non-compliance could result in escalated oversight or enforcement actions by CISA.

The tighter deadlines may strain already overworked IT security teams across the federal government. Smaller agencies with limited cybersecurity budgets could struggle to meet the new requirements, potentially leading to a spike in compliance challenges. Industry observers warn the directive may also trigger a rush on security tooling and automated patching solutions.

CISA's move adds pressure on technology vendors to deliver patches faster and with greater reliability. Critics argue that rapid patching without thorough testing risks introducing new vulnerabilities. Yet with AI threats growing in sophistication, the agency chose speed over caution.