U.S. cybersecurity officials are considering a significant policy shift that would reduce the time federal agencies have to fix critical vulnerabilities from weeks to just three days, as artificial intelligence continues to accelerate cyberattacks and increase the scale and sophistication of threats targeting government systems.
Advanced tools like Anthropic Mythos and OpenAI GPT-5.4-Cyber are reshaping the threat landscape by enabling attackers to quickly identify unknown weaknesses or exploit newly disclosed flaws, often automating complex attack chains that previously required highly skilled human operators. What once took weeks or months can now happen in hours, dramatically shrinking the response window for defenders and leaving little room for delayed action or manual processes.
Currently, the Cybersecurity and Infrastructure Security Agency (CISA) gives federal civilian agencies roughly two to three weeks to remediate vulnerabilities listed in its Known Exploited Vulnerabilities (KEV) catalog, which prioritizes flaws actively being abused by cybercriminals or nation-state actors. That timeline has already been trending shorter, but the new proposal would make three days the default, particularly for actively exploited issues, signaling a more aggressive and proactive federal cybersecurity posture.
Security leaders say the change reflects a new reality. With AI compressing attack timelines, organizations can no longer rely on traditional patch cycles. Faster detection, prioritization, and remediation are becoming essential to prevent breaches.
The discussions involve senior officials and could have broader implications beyond federal systems. If implemented, the policy may influence cybersecurity standards for state and local governments, as well as private-sector organizations that often align with federal guidance.
The push highlights a growing consensus: in an AI-driven threat environment, speed is critical, and delayed patching may no longer be an option.