Rising fears over AI-powered cyberattacks are sparking fresh discussions about how fast organizations should fix software flaws—and whether federal agencies should be required to patch vulnerabilities within days instead of weeks.
Cybersecurity specialists argue that quicker patching will often be essential, especially given recent advances in artificial intelligence. However, many caution that simply tightening deadlines won’t automatically speed things up—and might even backfire in some situations.
Following the preview of Anthropic’s Claude Mythos, Trump administration officials have reportedly explored reducing the standard timeframe for federal agencies to address Common Vulnerabilities and Exposures (CVEs) listed on the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) catalog.
According to Reuters, leaders at CISA and the Office of the National Cyber Director have debated shortening the typical KEV patching window from two to three weeks down to just three days.
CISA did not respond to inquiries about potential changes to KEV deadlines. However, all four entries added to the KEV catalog between May 6 and May 14 carried a three-day patching requirement.
Any move to accelerate patching timelines will likely pose significant challenges for many federal agencies. Hemant Baidwan, former chief information security officer at the Department of Homeland Security, acknowledged that adopting a three-day deadline “won’t be easy,” but stressed that “it’s necessary.”
“We can no longer afford to stick with outdated remediation cycles—waiting 30, 60, or even 120 days to address a security flaw,” said Baidwan, now executive CISO at security firm Knox Systems, in an interview with Federal News Network.
This sense of urgency stems from the Claude Mythos preview. Yet Rob Joyce, former cybersecurity director at the National Security Agency, noted that “the threat landscape had already shifted dramatically” due to large language models—even before Mythos emerged.
During a recent Secureframe-hosted webinar, Joyce explained that AI systems are now uncovering software vulnerabilities “at industrial scale.”
“It’s not that we’ve hired more people to find bugs,” Joyce said. “The discovery process is now largely automated.”
He urged organizations to rapidly modernize legacy systems—which AI has shown particular skill at exploiting—while accepting that “known vulnerabilities will be targeted.”
“Patch faster, retire end-of-life systems,” Joyce advised. “The CISA KEV catalog is like a flashing red warning light—telling you exactly what attackers are actively exploiting.”
KEV deadlines are already shrinking
Even before last month’s Mythos revelations, CISA had been steadily reducing the time agencies have to patch vulnerabilities listed in the KEV catalog.
In 2026 so far, the average patching deadline for a KEV-listed vulnerability stands at 14.4 days. That’s down from 19.7 days in 2025 and over 20 days in 2024.
Launched in 2021, the KEV catalog was designed to give federal agencies a consistent, repeatable process for addressing high-risk software flaws—moving beyond reliance on ad hoc emergency orders.
The original aim was a two-week patching window. But officials soon found that many agencies consistently missed those targets, sometimes by weeks or even months, according to Tod Beardsley, former section chief for vulnerability response at CISA and now vice president of research at security firm runZero.
“Ironically, shorter deadlines can actually lead to longer patching times,” Beardsley said.
“Once you define success as ‘before the deadline’ and failure as ‘after,’ there’s no further consequence once the deadline passes,” he added.
From 2022 to 2025, CISA typically set patching deadlines at three weeks. Beardsley noted that during his tenure, officials recognized two to three weeks as the “sweet spot” for most agencies.
Since March 2026, however, CISA has shifted most KEV deadlines to 14 days. Of the 61 vulnerabilities in the catalog’s history with a patch window of seven days or fewer, 25 were added this year alone.
“The compression of timelines hasn’t gone unnoticed,” Beardsley said.
A federal chief information officer, speaking anonymously because they weren’t authorized to comment publicly, agreed that patching “needs to be as close to immediate as possible.” Agencies must “speed up both identifying and fixing system vulnerabilities,” including through greater automation.
However, the CIO emphasized that agencies should focus only on flaws that are genuinely exploitable within their own IT environments.
“I support faster timelines, but not every CVE affects us,” the CIO said. “And even when it does, a quick fix may not exist. Excessive reporting requirements and data requests are often more disruptive than the new deadlines themselves. If we focus on the people doing the actual work—not just writing reports—there shouldn’t be major issues.”
Baidwan stressed that smart prioritization is critical, especially as AI accelerates the discovery of new software flaws.
“The faster you can assess and act, the sooner you can tell CISA: ‘We can’t patch this in three days, but we’ve applied a mitigation that makes exploitation much harder,’” he said. “Meanwhile, we’ve redirected our resources to fix the vulnerabilities we’re truly exposed to right now.”
Beardsley observed that agencies excelling at patch management typically have strong visibility into their IT environments and maintain clear procedures for updating software—including niche or unusual tools some agencies depend on.
He also suggested CISA could play a bigger role in promoting best practices for software lifecycle management.
“CISA has a unique vantage point, advising 102 federal agencies and occasionally issuing directives,” Beardsley said. “By working closely with a few agencies—confidentially identifying what works and what doesn’t—they could publish guidance highlighting effective strategies and the tech habits of high-performing organizations.”
Copyright
© 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
