US May Cut Cyber Fix Deadlines from 14 Days to 3

Key Takeaways

• US officials are discussing cutting the deadline to fix critical IT flaws from two weeks to three days
• AI tools like Anthropic's Mythos and OpenAI's GPT-5.4-Cyber can now find and exploit vulnerabilities in hours
• The change would apply to CISA's Known Exploited Vulnerabilities catalogue affecting all civilian agencies

The Proposal on the Table

US cybersecurity officials are considering a dramatic shift in how fast government agencies must patch critical software flaws. The proposal would slash the deadline for fixing actively exploited vulnerabilities from two weeks to just three days, according to sources familiar with the discussions.

The talks involve Nick Andersen, acting chief of the Cybersecurity and Infrastructure Security Agency (CISA), and Sean Cairncross, the US national cyber director. Reuters reports that no final decision has been made, and neither CISA nor the Office of the National Cyber Director has commented.

The change would affect CISA's Known Exploited Vulnerabilities (KEV) catalogue. This database tracks flaws that are already being abused by criminals or nation-state hackers. When a vulnerability lands on this list, civilian agencies currently have 14 days to patch it. Under the proposed rules, that window would shrink to 72 hours.

Why the Rush? AI Changed the Timeline

The urgency comes from a simple problem: AI has compressed the attacker's timeline. Tools like Anthropic's Mythos and OpenAI's GPT-5.4-Cyber can now identify previously unknown vulnerabilities or pounce on freshly disclosed ones far faster than human hackers could alone.

Where it once took hackers months, weeks, or days to weaponize a software flaw, some attacks now happen within hours of a vulnerability becoming public. That compression leaves defenders scrambling.

“If you're going to protect civil agencies, you're going to have to move faster. We don't have as much of a window as we used to have.”

— Stephen Boyer, founder of Bitsight, a cybersecurity company that has helped CISA catalogue vulnerabilities

Hackers have been using AI since at least 2023. But these newer models represent a step change in capability. They can identify unknown vulnerabilities, analyze disclosed flaws, and enable complex hacking operations with minimal human oversight.

What This Means for Federal IT Teams

A three-day deadline is aggressive by any standard. Most enterprise IT teams consider two weeks tight for testing, deploying, and verifying patches across large networks. Three days means patching becomes the top priority the moment a KEV alert lands.

CISA already occasionally compresses deadlines for particularly severe vulnerabilities. The proposed change would make three days the default, not the exception. Agencies would need to restructure their patching workflows, staffing, and testing procedures to meet the new standard.

The banking industry is already feeling similar pressure. According to the source, regulators are racing to adapt as more advanced AI models hit the market. Financial institutions are scrambling to update their security postures in response.

The Broader Context

This proposal reflects a broader shift in how security professionals think about vulnerability management. The traditional model assumed defenders had time to assess, test, and carefully deploy patches. AI-powered attacks are breaking that assumption.

The KEV catalogue itself has become a critical tool for prioritization. With thousands of vulnerabilities disclosed each year, agencies need a way to focus on what matters most. Flaws that are actively being exploited jump to the front of the line. But even that prioritization fails if patches arrive too late.

What Happens Next

No timeline has been set for a final decision. The discussions remain ongoing, and implementation details would need to be worked out even after a decision is reached. Questions remain about how agencies with older systems or limited IT staff would comply with compressed deadlines.

If adopted, the change would likely ripple beyond government. Federal contractors and vendors who connect to government systems often inherit similar security requirements. Private sector organizations that benchmark against CISA guidance might also reconsider their own patching timelines.

Frequently Asked Questions

What is the CISA Known Exploited Vulnerabilities catalogue?

The KEV catalogue is a list maintained by CISA that tracks software vulnerabilities actively being exploited by hackers. When a flaw appears on this list, federal civilian agencies are required to patch it within a specified deadline.

Why are US officials considering shorter patching deadlines?

AI tools can now identify and exploit software vulnerabilities within hours of disclosure, far faster than previous timelines of days or weeks. The shorter deadline aims to close this gap before attackers can strike.

Which AI tools are driving the concern?

Officials have specifically cited Anthropic's Mythos and OpenAI's GPT-5.4-Cyber as examples of AI models that can quickly identify unknown vulnerabilities or exploit newly disclosed ones.

Would the new deadline apply to all vulnerabilities?

The proposed three-day deadline would apply to vulnerabilities added to the KEV catalogue, meaning those already being actively exploited in the wild. Other vulnerabilities would still follow existing timelines.

When will a decision be made?

No timeline has been announced. Discussions between CISA and the National Cyber Director are ongoing, and neither agency has commented publicly on the proposal.

Source: Tech-Economic Times / ET