The US government has set a deadline of '3 days' to address the most serious vulnerabilities in AI to deal with the threat.
The U.S. Cybersecurity Agency (CISA) has issued new directives to quickly defend government systems. CISA states that the most critical vulnerabilities must be fixed within 'three days at the earliest.'
BOD 26-04: Prioritizing Security Updates Based on Risk | CISA
Patch Smarter, Not Harder | CISA
CISA tells agencies to patch smarter, not harder — foreshadowing broader industry practice | CSO Online
https://www.csoonline.com/article/4183750/cisa-tells-agencies-to-patch-smarter-not-harder-foreshadowing-broader-industry-practice.html
In recent years, AI-powered cyberattacks have become possible, increasing the risk that attackers can quickly discover and exploit vulnerabilities that have not been patched. In this situation, defenders do not have the resources to perfectly fix all of the numerous vulnerabilities, so it has become necessary to prioritize and fix vulnerabilities in order.
Previously, CISA created a list called the 'Catalog of Known Vulnerabilities That Have Been Exploited' and addressed vulnerabilities according to the Common Vulnerability Scoring System (CVSS) evaluation criteria. However, CISA has now announced a new policy to develop this list further, prioritizing vulnerabilities using different criteria and fixing those with the highest risk first.
CISA sets four criteria: 'Is the asset publicly disclosed?', 'Is it listed in the known vulnerability catalog?', 'Can an attacker automate the procedure for exploiting the vulnerability?', and 'Can an attacker gain control of some or all of the asset?'. The deadline for addressing the vulnerability is determined based on whether each of these criteria is met. The deadline for addressing the most serious vulnerabilities is as short as three days, and the person in charge must take action such as fixing, disabling, or disconnecting the system from the internet within that timeframe.
However, according to CISA, only 1% of vulnerabilities require action within three days. Since most vulnerabilities can be addressed later without issue, prioritizing vulnerabilities is expected to be very effective. Furthermore, according to Verizon's 2026 Data Breach Investigations Report, only 26% of the vulnerabilities listed in the CISA catalog were fully remedied in 2025, with a median resolution time of 43 days.
Based on this directive, each government agency must review its vulnerability management policy and establish processes for remediating vulnerabilities.
Chris Butella, Acting Executive Deputy Director for Cybersecurity at CISA, said, 'We strongly believe that we can allocate time to expedite patching of the most critical vulnerabilities while addressing lower-risk vulnerabilities with more regular patching cycles.'
Related Posts:
