{"id":16176,"date":"2026-05-05T19:38:32","date_gmt":"2026-05-05T19:38:32","guid":{"rendered":"https:\/\/newestek.com\/?p=16176"},"modified":"2026-05-05T19:38:32","modified_gmt":"2026-05-05T19:38:32","slug":"cisa-mulls-new-three-day-remediation-deadline-for-critical-flaws","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=16176","title":{"rendered":"CISA mulls new three-day remediation deadline for critical flaws"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Experts have mixed reactions to a report that the US Cybersecurity and Infrastructure Security Agency (CISA) is considering reducing the timeline in which government agencies must address critical vulnerabilities from two weeks to only three days.<\/p>\n

The current 14-day window applies to high-severity flaws dating from 2021 onwards, listed as known to be under exploit in CISA\u2019s Known Exploited Vulnerabilities<\/a> (<\/strong>KEV) Catalog.<\/p>\n

According to a Reuters<\/a> report citing two unnamed sources, this might be reduced to 72 hours amid growing concern that AI models such as Anthropic\u2019s Claude Mythos<\/a> (which, according to a recent report<\/a>, CISA has not yet had access to) will accelerate the ability of attackers to uncover and exploit the most serious flaws.<\/p>\n

This potential reduction remains an unconfirmed discussion point, and no timeline for the introduction of an alteration has been proposed. However, in a signal that any change will have weight behind it, decision makers involved include Nick Andersen<\/a>, the acting chief of the Cybersecurity and Infrastructure Security Agency, and Sean Cairncross<\/a>, US national cyber director, Reuters said.<\/p>\n

CISA\u2019s current requirements<\/h2>\n

CISA\u2019s current remediation deadlines depend on a flaw\u2019s severity, which is influenced by a range of factors. The most urgent category, zero-days \u2014 vulnerabilities known to be under exploitation, but which lack an available patch \u2014 are covered by Emergency Directives<\/a> that require remediation within 24 to 72 hours.<\/p>\n

Next are the 14-day KEV Catalogue vulnerabilities under Binding Operational Directives (BOD 22-01<\/a>). In addition to being under active exploitation, a vulnerability in this category must have a CVE identifier and an available patch or workaround.<\/p>\n

Underlining the urgency, threat intelligence platform VulnCheck recently reported that 29% of KEV-level vulnerabilities<\/a> in 2025 showed evidence of exploitation on or before the day the CVE was published.<\/p>\n

Critical vulnerabilities not known to be under active exploitation, on the other hand, are categorized under BOD 19-02<\/a>, which allows for a remediation timeline of between 15 and 30 days, depending on the CVSS score. \u00a0<\/p>\n

Moving to 72-hour remediation would mark a huge change in workload for security teams inside US government agencies. It might also set a new benchmark for best practice in the private sector. The question is whether applying fixes or remediation within three days is a practical goal.<\/p>\n

Tight window<\/h2>\n

A CISA spokesperson declined to comment on the Reuters report, but security experts were more forthcoming, with most believing the idea is simply an acknowledgement that modern vulnerability management is evolving.<\/p>\n

One source of anxiety was that a three-day timeline would leave little time for meaningful testing, normally a time-consuming and complex undertaking that ensures that a patch, remediation, or workaround doesn\u2019t break any of the systems around it.<\/p>\n

\u201cNo responsible IT team is going to release patches without proper testing. Even for critical vulnerabilities, 2-3 days is an extremely tight window, especially if they involve complex systems and require wide distribution,\u201d said William Wright<\/a> of UK penetration testing company Closed Door Security.<\/p>\n

\u201cClaude Mythos is a source code reviewer and it doesn\u2019t actively exploit vulnerabilities in the wild. While the model is powerful and could turn up flaws faster, forcing IT teams to respond more rapidly will only lead to poorly-tested stopgaps and cause further problems down the line.\u201d<\/p>\n

Another expert questioned whether agencies even fully understood their exposure. \u201cThree days is the wrong question. What you\u2019re really asking is whether agencies can find every system they own, know every dependency, and produce evidence that the patch landed. Most can\u2019t, whether it\u2019s day 3 or day 30,\u201d commented Mit Patel<\/a>, founder and CEO of MSP continuous verification company, Assurix.<\/p>\n

Patel continued: \u201cCISA\u2019s been running accelerated timelines since 2021, through KEV and BOD 22-01. The 14-day default already gets compressed for the worst CVEs. Going to three days as standard is a tighter version of something we already do. Agencies that hit 14 days reliably will probably hit three days. Agencies that miss 14 days will miss three days by the same margin.\u201d<\/p>\n

However, Adam Arellano<\/a>, field CTO at API security company Harness, <\/strong>said <\/strong>that <\/strong>moving to a three-day fix window was only possible if agencies had the processes and technology necessary to achieve it.<\/p>\n

\u201cA three-day fixed remediation timeline is completely achievable,\u201d said Arellano. \u201cThe process isn\u2019t inherently complex, but it\u2019s been made complex over time, especially within government environments that have been slow to adopt modern technologies. With the right systems in place, this can be a streamlined and manageable process.\u201d<\/p>\n

To Arellano, the patching window change is inevitable. \u201cThe window between a vulnerability being discovered and exploited is shrinking to minutes and soon may be effectively instantaneous,\u201d he said. \u201cBeing able to respond almost immediately will be critical.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Experts have mixed reactions to a report that the US Cybersecurity and Infrastructure Security Agency (CISA) is considering reducing the timeline in which government agencies must address critical vulnerabilities from two weeks to only three days. The current 14-day window applies to high-severity flaws dating from 2021 onwards, listed as known to be under exploit in CISA\u2019s Known Exploited Vulnerabilities (KEV) Catalog. According to a… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-16176","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16176","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=16176"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16176\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=16176"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=16176"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=16176"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}