CISA Tells US Agencies to Fix Security Bugs in as Little as 3 Days Thanks to AI Threats

Staff Editor 2026-06-10
CISA Tells US Agencies to Fix Security Bugs in as Little as 3 Days Thanks to AI Threats

CISA Tells US Agencies to Fix Security Bugs in as Little as 3 Days Thanks to AI Threats

https://www.wired.com/story/cisa-ai-vulnerability-directive/

Publish Date: 2026-06-10 16:55:00

Source Domain: www.wired.com

With new generations of AI models fueling both rapid software vulnerability discovery and the potential for faster exploitation by malicious hackers, the United States Cybersecurity and Infrastructure Security Agency released a new directive on Wednesday that requires more rapid and efficient software patching by federal civilian agencies. The “binding operational directive” (BOD) lays out a rubric for how quickly bugs must be fixed based on four assessments of urgency, with a turnaround time in critical cases of just three days.

Chris Butera, CISA’s acting executive assistant director for cybersecurity, told reporters on Wednesday that the goal of the directive is to help agencies prioritize, so they can address the most problematic vulnerabilities first while taking more time to remediate bugs that pose a less-pressing risk. The directive comes as private companies and governments have been scrambling to assess the extent of the cybersecurity reckoning that AI vulnerability and exploit development capabilities could unleash.

“Prioritizing IT and security operations attention on the most at-risk assets is particularly important now given advancements in artificial intelligence, which allow threat actors to find and exploit vulnerabilities in [federal] assets,” Butera said on Wednesday. “Defenders cannot afford to take weeks to patch systems that can be autonomously exploited en masse.”

The CISA directive’s criteria for evaluating patch urgency includes looking at whether a vulnerability is in a system that is publicly exposed, whether the bug is listed in CISA’s Known Exploited Vulnerabilities Catalog, whether an attacker could automate all of the steps to exploit the vulnerability, and how much access an attacker would get to the target if the bug were exploited. A vulnerability where all four points apply must be fixed within three days, according to the new directive, and the agency must also execute a “forensic triage” process to determine…

Source

More Stories

AI Reshapes Cybersecurity Training Priorities

AI Reshapes Cybersecurity Training Priorities

Staff Editor 2026-06-10
White House Executive Order Signals Federal Focus on Frontier AI Cybersecurity

White House Executive Order Signals Federal Focus on Frontier AI Cybersecurity

Staff Editor 2026-06-10
Flow Data Indicates Strong Participation In AI Infrastructure, Semiconductors, And Cybersecurity

Flow Data Indicates Strong Participation In AI Infrastructure, Semiconductors, And Cybersecurity

Staff Editor 2026-06-10

Terms and Conditions - Privacy Policy