CISA orders faster patching as AI speeds up exploitation

CISA has issued a new binding operational directive that sharply accelerates patching deadlines for federal civilian agencies, according to reporting published June 10. The move reflects a growing concern inside the federal cyber apparatus: AI is making it faster for attackers to find, automate, and exploit software flaws.

The directive applies to federal civilian executive branch agencies. For the highest-priority vulnerabilities, the report says agencies now have as little as three days to remediate once a bug meets all four of CISA's urgency criteria.

Those criteria are public exposure, inclusion in CISA's Known Exploited Vulnerabilities Catalog, whether the exploit can be automated, and the level of access an attacker could gain if successful. The directive also requires agencies to determine whether affected systems have already been compromised, including through forensic triage.

Why CISA is moving faster

Chris Butera, CISA's acting Executive Assistant Director for cybersecurity, said the directive is meant to help agencies focus on the assets most at risk. He linked the change to advances in artificial intelligence, saying threat actors can now identify and weaponize vulnerabilities more quickly.

That rationale is central to the policy shift. CISA is no longer treating the most dangerous bugs as problems that can wait through a long remediation cycle; it is treating them as fast-moving operational threats that may need to be contained within days.

How the new timeline compares

The new directive replaces earlier CISA timelines from 2019 and 2021, which allowed up to 15 days for the most critical bugs and 30 days for another high-urgency class, according to the report.

That is a significant tightening of the federal patch window. It also suggests CISA believes the older cadence no longer matches the pace of modern exploitation, especially when attackers can use AI-assisted tooling to speed up reconnaissance and attack development.

What agencies must do now

The policy does more than shorten deadlines. Agencies must also quickly assess whether a system has already been breached, which adds a forensic burden on top of patching and prioritization.

That combination matters operationally. Federal defenders will need to move faster on both remediation and incident verification, especially when a vulnerability meets multiple risk criteria and is likely to attract active exploitation.

The report says the directive is designed to help agencies rank urgency more precisely, rather than applying one broad deadline across all vulnerabilities. In practice, that means security teams will have to make faster judgments about exposure, exploitability, and potential access impact.

What remains unknown

The official directive text would clarify the full remediation matrix and whether additional deadlines exist beyond the three-day top tier. For now, the reporting confirms the core policy change but leaves some implementation details unresolved.

It is also unclear whether agencies will publicly raise concerns about feasibility or issue guidance on how they plan to absorb the extra workload. Further reporting may show how the new rules are applied once the directive is circulated more widely.