CISA Requires US Agencies to Fix Security Bugs Within 3 Days

Agencies to Fix Security Bugs Within 3 Days">

The United States Cybersecurity and Infrastructure Security Agency (CISA) released a new directive requiring federal civilian agencies to patch software vulnerabilities more rapidly, based on a rubric of urgency. The directive comes as AI models fuel rapid software vulnerability discovery and potential for faster exploitation by malicious hackers. Chris Butera, CISA's acting executive assistant director for cybersecurity, said the goal is to help agencies prioritize and address the most problematic vulnerabilities first.

The directive lays out a framework for patching bugs based on four assessments of urgency, with a turnaround time of just three days in critical cases. The directive's criteria for evaluating patch urgency include whether a vulnerability is in a publicly exposed system, whether the bug is listed in CISA's Known Exploited Vulnerabilities Catalog, whether an attacker could automate exploitation steps, and how much access an attacker would gain if the bug were exploited. A vulnerability meeting all four criteria must be fixed within three days.

The directive supersedes previous CISA orders from 2019 and 2021, which established a framework for patching urgent vulnerabilities within 15-30 days. CISA noted that threat actors are extremely fast to exploit vulnerabilities, with 42% being used on day 0 of disclosure and 75% within 28 days. CISA developed the new assessment rubric and directive with funding shortfalls and competing priorities in mind.

The three-day deadline for the most urgent vulnerabilities is not 24 hours, as such a short timeframe would not be feasible for most agencies. New AI capabilities are changing the vulnerability detection and bug hunting landscape. Many researchers conclude that no amount of patching will be enough, and the software development community must adopt new approaches to invalidating whole classes of vulnerabilities.

'CISA's directive has its heart in the right place, but it only tackles half the challenge,' says Emily Long, CEO of Edera. 'If your architecture doesn't limit what an attacker can reach after a breach, you're just running faster on the same treadmill.' CISA's Butera acknowledged this evolution, stating the new directive 'is an initial step to counter the increased capabilities of emerging AI models. Yet there is still more work to do.' Why this matters: The CISA directive highlights the growing concern over AI-fueled vulnerability discovery and exploitation.

As AI models accelerate the process of finding and exploiting software bugs, federal agencies must adapt to address the most critical vulnerabilities quickly. This directive's impact extends beyond government agencies, as it sets a precedent for the private sector to prioritize vulnerability remediation. Developers and businesses must consider adopting new, architectural approaches to invalidating whole classes of vulnerabilities, rather than solely relying on patching.