AI drives new debate around CISA software patching deadlines
AI drives new debate around CISA software patching deadlines
Publish Date: 2026-05-14 18:38:00
Source Domain: federalnewsnetwork.com
Growing concerns about artificial intelligence-driven cyber attacks are driving new debates around how quickly organizations should patch software vulnerabilities, including whether federal agencies should be required to meet patch deadlines in days rather than weeks.
Cyber experts say faster patching will be needed in many cases, especially considering recent advancements in AI. But many also say shortening deadlines is unlikely, by itself, to drive speedier remediation and could have the reverse effect in some cases.
In response to Anthropic’s Claude Mythos preview, Trump administration leaders have reportedly considered cutting the standard deadline for agencies to patch Common Vulnerabilities and Exposures (CVEs) that are posted to the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) catalog.
Reuters reported that CISA and Office of the National Cyber Director leaders have discussed cutting the standard KEV deadline to three days, instead of two to three weeks.
]]
CISA didn’t respond to a request for comment on deliberations surrounding KEV catalog deadlines. But all four entries CISA has made to the KEV catalog from May 6 through May 14 have had a three-day deadline.
Any acceleration of patching deadlines will likely be a challenge for many federal agencies. Hemant Baidwan, former chief information security officer at the Department of Homeland Security, said shifting to a three-day deadline “is not going to be an easy thing,” but added “it does need to happen.”
“I don’t think we have the luxury to wait and follow legacy remediation cycles, to wait for 30 days, 60 days, 120 days to really go after mitigating a security weakness,” Baidwan, who is now executive CISO at security firm Knox Systems, told Federal News Network.
The urgency has been driven by the Claude Mythos preview. But Rob Joyce, former cybersecurity director at…
