CISA Orders US Agencies to Fix Critical Security Bugs in 3 Days Due to AI Threats
Original: CISA Tells US Agencies to Fix Security Bugs in as Little as 3 Days Thanks to AI Threats
Why This Matters
Reflects escalating cybersecurity urgency as AI enables faster vulnerability discovery and exploitation
CISA issued new directive requiring federal civilian agencies to patch critical vulnerabilities within 3 days, citing AI-enabled threat actors who can autonomously exploit bugs at scale. Previous requirements allowed 15-30 days for most urgent fixes.
The Cybersecurity and Infrastructure Security Agency released a binding operational directive Wednesday establishing a four-tier urgency rubric for software patching. Critical vulnerabilities meeting all four criteria - publicly exposed systems, known exploited bugs, automatable exploitation, and significant access potential - must be fixed within three days. CISA's Chris Butera warned that 'defenders cannot afford to take weeks to patch systems that can be autonomously exploited en masse.' The directive replaces 2019 and 2021 orders that required 15-30 day patch timelines. CISA noted that 42% of known exploited vulnerabilities are used on disclosure day, 50% within 2 days, and 75% within 28 days. The agency designed the framework considering federal funding limitations and competing priorities.