Experts have mixed reactions to a report that the US Cybersecurity and Infrastructure Security Agency (CISA) is considering reducing the timeline in which government agencies must address critical vulnerabilities from two weeks to only three days.

The current 14-day window applies to high-severity flaws dating from 2021 onwards, listed as known to be under exploit in CISA’s Known Exploited Vulnerabilities (KEV) Catalog.

According to a Reuters report citing two unnamed sources, this might be reduced to 72 hours amid growing concern that AI models such as Anthropic’s Claude Mythos (which, according to a recent report, CISA has not yet had access to) will accelerate the ability of attackers to uncover and exploit the most serious flaws.

This potential reduction remains an unconfirmed discussion point, and no timeline for the introduction of an alteration has been proposed. However, in a signal that any change will have weight behind it, decision makers involved include Nick Andersen, the acting chief of the Cybersecurity and Infrastructure Security Agency, and Sean Cairncross, US national cyber director, Reuters said.

CISA’s current requirements

CISA’s current remediation deadlines depend on a flaw’s severity, which is influenced by a range of factors. The most urgent category, zero-days — vulnerabilities known to be under exploitation, but which lack an available patch — are covered by Emergency Directives that require remediation within 24 to 72 hours.

Next are the 14-day KEV Catalogue vulnerabilities under Binding Operational Directives (BOD 22-01). In addition to being under active exploitation, a vulnerability in this category must have a CVE identifier and an available patch or workaround.

Underlining the urgency, threat intelligence platform VulnCheck recently reported that 29% of KEV-level vulnerabilities in 2025 showed evidence of exploitation on or before the day the CVE was published.

Critical vulnerabilities not known to be under active exploitation, on the other hand, are categorized under BOD 19-02, which allows for a remediation timeline of between 15 and 30 days, depending on the CVSS score.  

Moving to 72-hour remediation would mark a huge change in workload for security teams inside US government agencies. It might also set a new benchmark for best practice in the private sector. The question is whether applying fixes or remediation within three days is a practical goal.

Tight window

A CISA spokesperson declined to comment on the Reuters report, but security experts were more forthcoming, with most believing the idea is simply an acknowledgement that modern vulnerability management is evolving.

One source of anxiety was that a three-day timeline would leave little time for meaningful testing, normally a time-consuming and complex undertaking that ensures that a patch, remediation, or workaround doesn’t break any of the systems around it.

“No responsible IT team is going to release patches without proper testing. Even for critical vulnerabilities, 2-3 days is an extremely tight window, especially if they involve complex systems and require wide distribution,” said William Wright of UK penetration testing company Closed Door Security.

“Claude Mythos is a source code reviewer and it doesn’t actively exploit vulnerabilities in the wild. While the model is powerful and could turn up flaws faster, forcing IT teams to respond more rapidly will only lead to poorly-tested stopgaps and cause further problems down the line.”

Another expert questioned whether agencies even fully understood their exposure. “Three days is the wrong question. What you’re really asking is whether agencies can find every system they own, know every dependency, and produce evidence that the patch landed. Most can’t, whether it’s day 3 or day 30,” commented Mit Patel, founder and CEO of MSP continuous verification company, Assurix.

Patel continued: “CISA’s been running accelerated timelines since 2021, through KEV and BOD 22-01. The 14-day default already gets compressed for the worst CVEs. Going to three days as standard is a tighter version of something we already do. Agencies that hit 14 days reliably will probably hit three days. Agencies that miss 14 days will miss three days by the same margin.”

However, Adam Arellano, field CTO at API security company Harness, said that moving to a three-day fix window was only possible if agencies had the processes and technology necessary to achieve it.

“A three-day fixed remediation timeline is completely achievable,” said Arellano. “The process isn’t inherently complex, but it’s been made complex over time, especially within government environments that have been slow to adopt modern technologies. With the right systems in place, this can be a streamlined and manageable process.”

To Arellano, the patching window change is inevitable. “The window between a vulnerability being discovered and exploited is shrinking to minutes and soon may be effectively instantaneous,” he said. “Being able to respond almost immediately will be critical.”