Growing concerns about artificial intelligence-driven cyber attacks are driving new debates around how quickly organizations should patch software vulnerabilities, including whether federal agencies should be required to meet patch deadlines in days rather than weeks.
Cyber experts say faster patching will be needed in many cases, especially considering recent advancements in AI. But many also say shortening deadlines is unlikely, by itself, to drive speedier remediation and could have the reverse effect in some cases.
In response to Anthropic’s Claude Mythos preview, Trump administration leaders have reportedly considered cutting the standard deadline for agencies to patch Common Vulnerabilities and Exposures (CVEs) that are posted to the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) catalog.
Reuters reported that CISA and Office of the National Cyber Director leaders have discussed cutting the standard KEV deadline to three days, instead of two to three weeks.
CISA didn’t respond to a request for comment on deliberations surrounding KEV catalog deadlines. But all four entries CISA has made to the KEV catalog from May 6 through May 14 have had a three-day deadline.
Any acceleration of patching deadlines will likely be a challenge for many federal agencies. Hemant Baidwan, former chief information security officer at the Department of Homeland Security, said shifting to a three-day deadline “is not going to be an easy thing,” but added “it does need to happen.”
“I don’t think we have the luxury to wait and follow legacy remediation cycles, to wait for 30 days, 60 days, 120 days to really go after mitigating a security weakness,” Baidwan, who is now executive CISO at security firm Knox Systems, told Federal News Network.
The urgency has been driven by the Claude Mythos preview. But Rob Joyce, former cybersecurity director at the National Security Agency, said “even before Mythos, the risk environment changed dramatically” due to large language models.
During a webinar hosted by Secureframe this week, Joyce said AI systems are finding software vulnerabilities “at industrial scale.”
“We’re not finding bugs faster because we have more humans on the problem,” Joyce said. “We’re finding them faster because the discovery loop is now mostly machine.”
He recommended organizations quickly upgrade legacy technologies, which AI has proven adept at exploiting, while understanding that “known vulnerabilities will be exploited.”
“Figure out how to patch faster, decommission those end-of-life systems,” Joyce said. “The CISA KEV catalog telling you what is being exploited is a big red flashing light that stuff’s coming for you.”
KEV timelines accelerate
Even prior to last month’s Mythos revelations, CISA had already been shortening deadlines for agencies to patch vulnerabilities posted to the KEV.
So far in 2026, the average deadline for a vulnerability posted to the KEV catalog is 14.4 days. Last year, the average was 19.7 days, while in 2024, patch deadlines were more than 20 days, on average.
CISA created the KEV catalog in 2021 to provide a repeatable mechanism for federal agencies to patch dangerous software bugs, rather than solely relying on one-off emergency directives.
The initial goal was to have two weeks or shorter be the standard deadline. But officials quickly realized that many agencies weren’t hitting those deadlines and instead blowing past them by weeks or even months, according to Tod Beardsley, who served as section chief for the vulnerability response section at CISA and now works as vice president of research at security firm runZero.
“Paradoxically, when you have a shorter deadline, your time to patch goes up,” Beardsley said.
“When you set the metric to, you’re good if you’re before the deadline, and bad if you’re after the deadline, you can’t fail any harder once you’ve passed through the deadline,” Beardsley added.
Between 2022 and 2025, CISA set the deadlines for patching most CVEs at three weeks. Beardsley said during his time at CISA, officials realized that two to three weeks was a “sweet spot” for most agencies.
Since March of this year, however, CISA has begun setting most KEV deadlines at 14 days. And out of the 61 vulnerabilities in the history of the catalog with a patch deadline of seven days or less, 25 have of them have come this year.
“It has not gone unnoticed that the timelines have been already compressed,” Beardsley said.
A federal chief information officer, granted anonymity because they were not authorized to speak publicly, acknowledged that patching timelines “have to get as close to immediate as possible.” Agencies need to “accelerate both prioritizing and remediating system vulnerabilities,” including through increased use of automation.
But the CIO said it’s important for agencies to prioritize issues that are truly exploitable within their specific IT environments.
“I’m OK with a faster timeline, but also recognize that just because there is a CVE, it doesn’t mean it impacts us,” the CIO said. “It also doesn’t mean there is a solution that can be implemented quickly. I think that adding overhead reporting and data calls are actually worse than the changed timelines. If we keep in mind the people that actually do the work rather than write words, there shouldn’t be any issues.”
Baidwan said prioritization is crucial, especially in an area where AI is already increasing the volume of software vulnerabilities.
“The more quickly you can do that, the more quickly you can say, ‘Well, CISA, I can’t remediate this in three days, but I’ve already implemented this mitigation that makes it more challenging an adversary to exploit,’” he said. “And in the meantime, I’ve already prioritized my resources in remediating the ones where we are truly vulnerable and could be exploited today.”
Beardsley said agencies that do well with patch management tend to know what’s in their environment and build playbooks around updating and maintaining software, especially “weird software” that some agencies rely upon.
He also CISA could also advance new strategies and expertise around software lifecycle management.
“CISA is in a very unique position in that they have 102 agencies that they are advising and occasionally giving directives to,” Beardsley said. “Zeroing in one or two of them, and finding out, where it works and where it doesn’t … You can do it confidentially and produce a report saying, ‘This is what we see that works. Here’s what doesn’t. Here are the kinds of tech habits we see in the successful agencies.’”
Copyright
© 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
