Top U.S. cybersecurity officials are discussing a significant acceleration of response times for repairing critical software flaws in federal systems, according to people familiar with the deliberations. The proposal under consideration would reduce the typical two-week deadline for addressing vulnerabilities listed as known-and-exploited - or KEVs - in CISA’s catalogue to just three days.
Those close to the talks said the move is driven by growing anxiety over increasingly capable artificial intelligence models, including Anthropic’s Mythos and OpenAI’s GPT-5.4-Cyber, which are now viewed as able to find previously unknown weaknesses or quickly exploit newly disclosed ones. Officials and industry experts report that the interval between disclosure and active exploitation has in some cases shrunk from months or weeks to hours.
"If you’re going to protect civil agencies, you’re going to have to move faster," said Stephen Boyer, founder of cybersecurity firm Bitsight, which has helped the Cybersecurity and Infrastructure Security Agency catalogue vulnerabilities. "We don’t have as much of a window as we used to have."
According to two sources with knowledge of the matter, the deadline proposals are being discussed by Nick Andersen, the acting head of the Cybersecurity and Infrastructure Security Agency, and Sean Cairncross, the U.S. national cyber director. It was not possible to confirm whether a final decision has been taken or when one might be announced. CISA and the Office of the National Cyber Director did not immediately comment.
CISA has maintained a curated list of KEVs for years. These entries identify flaws that are publicly known and already being abused by criminals or state-backed actors, and they are prioritized for remediation. Under the agency’s current practice, civilian federal bodies typically receive a two-week mandate to patch or otherwise mitigate KEVs once they are added to the database. While CISA has occasionally shortened those timelines for especially severe cases, the new proposals would make a three-day response the default for actively exploited vulnerabilities, the sources said.
Industry and government leaders have been responding to the release of more advanced AI tools that security professionals fear can accelerate and complicate attacks. Those worries have spread through the technology and financial sectors, with banking leaders described as scrambling while regulators work to assess the risks posed by the newer models.
Former CISA deputy director Nitin Natarajan, who now leads cyber consultancy NN Global, said he expects changes at the federal level to influence state and local governments as well as private-sector organizations. "This is a signal to others that says, 'Hey you need to do this more quickly,'" he said. Natarajan added that shortening deadlines is logical in light of AI-driven threats, but he cautioned that CISA has experienced reductions in staffing and has been affected by recent government shutdowns. "We’ve seen a reduction in their resources, both in funding and expertise," he said.
Security practitioners warned that rapid remediation is not always straightforward. Kecia Hoyt, a vice president at threat intelligence firm Flashpoint, underscored that applying patches often requires complex testing before deployment. "Realistically, three days is simply impossible for some environments," she said.
John Hammond, senior principal security researcher at Huntress, described a potential reduction from 14 days to three as "quite a change." He said he was cautiously optimistic about speeding up responses, but added that broader industry performance will determine whether tighter timelines are sustainable. "Only time will tell how well the industry keeps up," Hammond said.
The discussion at CISA comes as the private and public sectors grapple with how to adjust defenses and operational practices in the face of AI models that accelerate vulnerability discovery and exploitation. Officials considering the deadline shift are weighing how to balance urgency with the practical realities of testing and deploying fixes across varied environments.
The sources emphasized that the proposal is under discussion and that no formal policy change has been confirmed. As deliberations continue, agencies and industry groups are evaluating their capacity to act within much shorter windows, and whether additional resources or procedural changes will be necessary to meet any new federal requirements.
Key points
- Federal cybersecurity officials are considering reducing the default remediation window for actively exploited vulnerabilities from 14 days to three days, reflecting concerns about faster AI-enabled exploitation.
- The change is being discussed by acting CISA chief Nick Andersen and U.S. national cyber director Sean Cairncross; no final decision has been confirmed and CISA did not comment.
- The shift would likely influence state, local and private sector practices; banking and digital security sectors are already assessing implications as regulators and firms react to more advanced AI tools.
Risks and uncertainties
- Resource constraints at CISA, including reduced staffing and funding, could limit the agency’s ability to manage faster remediation cycles - a concern for government IT and cybersecurity service sectors.
- Operational limits in some environments make three-day patch windows unrealistic, signaling potential implementation challenges for federal agencies and critical infrastructure operators.
- Advanced AI models compressing exploitation timelines to hours increase uncertainty about whether current vulnerability management processes can be meaningfully accelerated across public and private systems.