CISA is considering a drastic reduction in the timeframe for government agencies to remediate critical vulnerabilities, from 14 days to just 72 hours. This change would apply to high-severity flaws listed in CISA's Known Exploited Vulnerabilities Catalog, which currently includes vulnerabilities from 2021 onwards. The proposed reduction is reportedly driven by growing concerns over the potential for AI models to accelerate exploitation of these vulnerabilities. Experts have expressed mixed reactions to the plan, citing potential challenges in meeting such a tight deadline. The current 14-day window has been in place for vulnerabilities listed in the KEV Catalog, including those with CVE numbers assigned since 20211. This potential change matters to security practitioners because it would require them to develop and implement expedited patch management processes to avoid potential exploits.
CISA mulls new three-day remediation deadline for critical flaws
⚡ High Priority
Why This Matters
The current 14-day window applies to high-severity flaws dating from 2021 onwards, listed as known to be under exploit in CISA’s Known Exploited Vulnerabilities ( KEV) Catalog.
References
- CSO Online. (2026, May 5). CISA mulls new three-day remediation deadline for critical flaws. CSO Online. https://www.csoonline.com/article/4167422/cisa-mulls-new-three-day-remediation-deadline-for-critical-flaws.html
Original Source
CSO Online
Read original →