NEWS
CISA Weighs Cutting Federal Patch Deadline From 14 Days To 72 Hours
U.S. cybersecurity officials are weighing a move to slash the federal patching deadline for actively exploited flaws from roughly two weeks to just 72 hours, a shift driven by the arrival of AI models that can find and weaponize bugs in hours rather than weeks. The change, first reported by Reuters on May 1, 2026, is being discussed by acting CISA chief Nick Andersen and National Cyber Director Sean Cairncross. No final order has been signed. If it lands, every Federal Civilian Executive Branch agency would have three days to apply, isolate, or rip out anything CISA flags as a Known Exploited Vulnerability.
The current rule, set under Binding Operational Directive 22-01, gives agencies 14 days for most KEV entries and six months for older CVEs. Cutting that to 72 hours would compress the longest path of any normal patch cycle: discovery, ticketing, vendor coordination, regression testing, change control, deployment, and verification.
The 14 To 3 Day Math
Andersen all but signaled the change weeks before Reuters broke the proposal. Speaking at Auburn University’s McCrary Institute, he said the goal is “reducing that window that we’re seeing where perhaps people had a week to two weeks to be able to address published CVEs.” Translation: 14 days is no longer fast enough.
The trigger is data, not theatre. VulnCheck’s State of Exploitation 2026 report tracked 884 newly exploited vulnerabilities in 2025 and found that 28.96% were exploited on or before the day the CVE was published. In Q1 2025 alone, 432 fresh CVEs landed in the company’s KEV database, more than triple what CISA itself catalogued in the same period.
Here is the math driving the proposal:
- 14 days: current default deadline under BOD 22-01 for KEV entries with CVE IDs from 2021 onward.
- 3 days: the proposed new default for actively exploited flaws.
- ~29%: share of 2025 KEVs already weaponized on or before public disclosure.
- 137 days: average time critical KEVs actually stayed unpatched in industry, per Bitsight’s 2024 analysis.
Why Mythos Changed The Calculus
Anthropic shipped Claude Mythos Preview on April 7, 2026, with one statistic that landed like a rock through the window. The model autonomously found and exploited CVE-2026-4747, a 17-year-old remote code execution bug in FreeBSD’s NFS server. It also surfaced a 16-year-old FFmpeg flaw that had survived more than 5 million automated tests.
The UK’s AI Security Institute evaluation put numbers on what that means in practice. Mythos solved expert-level offensive security tasks 73% of the time, and it became the first model to complete a 32-step simulated corporate network attack from start to finish. The previous best model averaged 16 of 32 steps. Mythos averaged 22 and finished the full chain in three of ten attempts.
OpenAI’s GPT-5.4-Cyber, released into limited preview shortly after, hit similar marks. Anthropic’s own engineers estimate comparable capability will spread across other labs within six to eighteen months. That timeline is what is forcing CISA’s hand. The agency cannot keep promising defenders a 14-day buffer if the offensive side is operating in 14 hours.
The Workforce Hole CISA Is Patching From
Here is the part most coverage skipped. CISA wants federal teams to move faster while the agency itself has been hollowed out. According to CISA’s own leadership page, Andersen was named acting director only in February 2026, the second interim chief in a year. The agency still has no Senate-confirmed permanent director.
The headcount tells the rest of the story.
| Metric | FY2025 baseline | FY2026 request |
|---|---|---|
| Funded positions | 4,021 | 2,649 |
| Full-time staff | 3,641 | 2,324 |
| Annual budget | $3.0 billion | $2.4 billion |
| Risk Management Division positions | 179 | 58 |
| Stakeholder Engagement Division positions | 200 | 53 |
By December 2025, headcount had already fallen from roughly 3,400 to 2,400. A six-week federal shutdown that started October 1, 2025, furloughed two-thirds of remaining staff. The Trump administration has since proposed an additional $707 million cut for FY2027. Asking a thinner CISA to enforce a tighter deadline is the policy collision nobody at the podium wants to name.
Where 72 Hours Breaks
The deadline is technically achievable for cloud-hosted software with mature CI/CD. It is far harder everywhere else. Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, framed the new floor bluntly in a written response: “Three days is not a technical mandate. It is a business continuity objective. Organizations that have built remediation into a two-week approval chain will find that chain now creates liability and extends exposure.”
OT, ICS, And Anything That Cannot Reboot
Operational technology is where the proposal hits a wall. Power grids, water treatment plants, and air traffic systems run on equipment that often cannot be patched without scheduled outages. Some of it cannot be patched at all without replacing hardware. Louis Eichenbaum, federal CTO at ColorTokens, argued agencies should pair patching with microsegmentation: “By implementing granular microsegmentation, agencies can create secure, policy-enforced boundaries around vulnerable systems restricting traffic flows and preventing lateral movement even if a system is compromised.”
The Testing Window Problem
Security teams call the regression-testing requirement the “do no harm” floor. A bad patch can knock production offline for longer than the original vulnerability would. Federal agencies running ERP, claims processing, or benefits systems negotiate maintenance windows weeks ahead.
Patching in large organizations is not a single action by one individual or team. It is a chain of dependencies to verify asset discovery, impact analysis, regression testing, change management, outage coordination, and often regulatory validation.
That assessment came from BeyondTrust Chief Security Advisor Morey Haber, who called the proposal “a recognition that the threat landscape has fundamentally changed.” His warning was that compressed timelines also compress vendor patch quality. A patch shipped in 48 hours and pushed to production in 24 may itself introduce regressions or new attack surface.
The Bitsight Reality Check
The hardest number for CISA to wave away comes from Bitsight’s 2024 KEV catalog analysis, which scanned 1.4 million organizations. The findings:
- 137 days: average time to remediate a critical KEV in industry.
- 238 days: average for high-severity KEVs.
- 60%: share of KEVs missed past their CISA deadline.
- 56%: how much more likely federal agencies are to hit deadlines compared to private organizations.
Federal performance is better, but it still misses the current 14-day mark on a substantial share of entries. Compressing the goal to 72 hours without first closing the existing gap risks creating a paper standard nobody actually meets, the kind of compliance failure auditors flag and adversaries ignore.
What Andersen Has Already Done
The proposal is not theoretical. CISA has been issuing three-day directives selectively for months, in effect stress-testing the policy before formalizing it.
- February 20, 2026: federal agencies given 72 hours to patch an actively exploited Dell vulnerability.
- Late April 2026: a similar three-day order issued for a BeyondTrust Remote Support remote code execution flaw.
- April 20, 2026: eight new KEV entries added with May 2026 deadlines, several with compressed windows.
- May 1, 2026: Reuters reports the broader proposal to make 72 hours the default.
The pattern reads like a rollout, not a trial balloon. Each emergency directive surfaces operational friction that informs the next one, and gives Andersen evidence he can wave at OMB when the formal directive lands.
What Defenders Are Doing Instead
Real-time vulnerability management was already the direction of travel. The proposal accelerates the timeline and broadens who has to play. Collin Hogue-Spears at BlackDuck put it in plainer terms in a written response: security leaders need to replace emergency-patch heroics with pre-staged remediation lanes featuring named system owners, automated rollback testing, and pre-approved compensating controls.
For most agencies, that means three concurrent investments. Continuous asset discovery, because you cannot patch what you do not know you own. Reachability analysis, because not every KEV is actually exposed in every environment. And containment tooling, so a system that cannot be patched in 72 hours can at least be quarantined inside it.
Frequently Asked Questions
Does the three-day deadline apply to private companies?
No. BOD 22-01 binds only Federal Civilian Executive Branch agencies. Defense, intelligence, and judicial branches are excluded. That said, contractors selling to FCEB agencies, FedRAMP-authorized cloud providers, and any vendor in a federal supply chain will inherit the deadline through contract language. Private firms not touching federal contracts face no direct mandate, but cyber insurers and auditors typically use CISA timelines as a benchmark.
When would the new deadline take effect?
No date has been announced. Reuters reports the proposal is still under discussion between Andersen and Cairncross, and CISA has not commented. Historically, binding operational directives take 30 to 90 days from public release to enforcement. Expect a comment period if the change goes through formal rulemaking, though emergency directives can bypass that route entirely.
What counts as a KEV vulnerability?
A flaw qualifies for the CISA Known Exploited Vulnerabilities Catalog only when three conditions are met: it has a CVE ID, it has a vendor patch or documented workaround, and CISA has reliable evidence of active exploitation in the wild. Proof-of-concept code, scanning activity, or theoretical exploits do not count. The catalog updates several times per week and is published at cisa.gov.
How can agencies track upcoming KEV deadlines?
Subscribe to CISA’s KEV RSS feed or the JSON catalog endpoint at cisa.gov, both of which carry due dates per entry. Pair that with an internal SLA dashboard tied to your CMDB, so every KEV CVE auto-creates a remediation ticket with the CISA-assigned deadline as the due date. Most modern vulnerability management platforms ingest the KEV feed natively. Manual tracking on a spreadsheet will not survive a 72-hour cadence.
What if a system cannot be patched in three days?
BOD 22-01 already allows two paths: apply the patch or remove the vulnerable product from the network. The second option is the legal escape hatch when patching is impossible. Practical alternatives include network isolation, microsegmentation, putting the asset behind a strict allowlist, or applying a vendor-provided mitigation. Agencies should pre-document compensating controls now, because negotiating them inside a 72-hour window is too slow.
None of this changes if the proposal stalls. Mythos and its eventual successors will still ship, attackers will still automate, and the gap between disclosure and exploitation will keep shrinking. The 72-hour debate is really a debate about whether federal IT can move at machine speed at all. The honest answer, today, is that most of it cannot. The deadline forces the question; the budget cuts complicate the answer.
Disclaimer: This article reports on a proposed federal cybersecurity policy and recommended defensive practices. The information provided is for general awareness only and should not replace formal incident response procedures or agency-specific compliance guidance. System administrators should validate every patch in a controlled environment before production deployment and consult their security operations team or contracting officer for binding obligations. Deadlines, directives, and figures cited reflect public reporting as of May 9, 2026 and are subject to change.
How Technology Engineers Impatience, and What It Costs
Bitrue Opens Crypto World Cup 2026 Futures Event With 50,000 USDT
Hyperliquid’s Buyback Engine Is Rewiring Crypto Investing
Serenity’s Swing Buy of IBIT and ETHA Calls Crypto Stocks Cheap
Wyoming’s AI Data Center Order Sets Off a Power Race
iOS 27 Split Screen and iPhone 18 Pro’s Variable Aperture
OnePlus 16’s 200MP Camera Leaks Are Still Fighting Each Other
Best Smartwatches Under Rs. 3,000 with Always-On Display in India
Apple Doubles MacBook Neo Production After Demand Surge
Nine Companies Joined the DOJ to Freeze $3.8M in Fraud Crypto
Andreessen Horowitz Bets $2.2B on Crypto’s Quiet Cycle
Cathie Wood Calls SpaceX IPO Demand ‘Voracious’ Ahead Of $1.75T Debut
Ghana CSA Plants Office In Ho As Volta Cybercrime Climbs
Hormuud Bets $19 Down Will Finally Pull Somalia Online
Google’s Buried Page Reveals 500 Niche Websites Still Making Cash
Apple Strikes Preliminary Deal For Intel To Make iPhone And Mac Chips
Metalenz Polar ID Hides Face Unlock Under OLED Smartphone Screens
Google AI Overviews Adds Subscribed Label, Reddit Quotes Inline
Asha Sharma Reshuffles Xbox Leadership In Race To Project Helix
Audible Faces Nationwide Class Action Over Expiring Credits
-
CRYPTO4 weeks agoAndreessen Horowitz Bets $2.2B on Crypto’s Quiet Cycle
-
CRYPTO4 weeks agoCathie Wood Calls SpaceX IPO Demand ‘Voracious’ Ahead Of $1.75T Debut
-
NEWS4 weeks agoGhana CSA Plants Office In Ho As Volta Cybercrime Climbs
-
NEWS4 weeks agoHormuud Bets $19 Down Will Finally Pull Somalia Online
-
APPS1 month ago
Google’s Buried Page Reveals 500 Niche Websites Still Making Cash
-
NEWS4 weeks agoApple Strikes Preliminary Deal For Intel To Make iPhone And Mac Chips
-
NEWS4 weeks agoMetalenz Polar ID Hides Face Unlock Under OLED Smartphone Screens
-
AI4 weeks agoGoogle AI Overviews Adds Subscribed Label, Reddit Quotes Inline