CISA gives federal agencies three days to fix critical cyber flaws
CISA gave federal agencies just three days to fix the worst cyber flaws, betting that AI-driven attacks now move faster than old patch cycles can survive.

Federal civilian agencies now have just three calendar days to fix the most dangerous cyber flaws, a deadline that tests whether Washington can move faster without breaking the systems it depends on. The Cybersecurity and Infrastructure Security Agency said the new rule targets vulnerabilities that are internet-facing, already being exploited, easy to automate and capable of giving attackers control of a system.
CISA issued Binding Operational Directive 26-04, titled Prioritizing Security Updates Based on Risk, on June 10 and said it is mandatory for federal executive branch departments and agencies. The directive replaces a slower mindset with a sharper triage model: agencies must focus first on the highest-risk weaknesses and push lower-priority problems down the queue. If a flaw meets all four of CISA’s criteria, agencies must not only patch it within three days but also perform forensic triage to determine whether they were compromised.

The new timetable shows how seriously federal officials now view artificial intelligence as a cyber risk multiplier. Chris Butera, CISA’s acting executive assistant director for cybersecurity, said a 24-hour remediation window would not be practical for most agencies, a sign that the agency is trying to balance urgency with operational reality. The three-day deadline is still a major compression of federal response time, but it is designed to reflect how quickly AI tools may help attackers find weaknesses, weaponize them and exploit them at scale.
CISA Acting Director Nick Andersen said the directive was meant to help agencies concentrate on the highest-risk vulnerabilities while deferring lower-priority ones. That shift matters because many federal systems are old, sprawling and hard to update quickly, especially when patching one component can disrupt another. For agencies, the new rule will likely demand tighter asset inventories, faster decision-making and closer coordination with vendors that maintain exposed systems.
The change also builds on CISA’s Known Exploited Vulnerabilities Catalog, created under Binding Operational Directive 22-01 on November 3, 2021. Under earlier federal patching regimes, critical flaws could have longer deadlines, including 15 days for critical vulnerabilities and 30 days for high-priority issues. The three-day clock tightens the fastest end of that schedule and signals that the government now sees time itself as a frontline defense.
The directive arrived alongside a live warning about a Check Point VPN flaw that had been exploited in zero-day attacks by Qilin ransomware affiliates. That combination of policy change and active exploitation underscores the same lesson: in an era of automated attacks and AI-assisted discovery, the federal government is treating the race to patch as part of national cyber defense, not a back-office maintenance task.
This article was produced by Prism’s automated news system from verified source data, official records, and press releases, then run through automated quality and moderation checks before publishing. The system is built and supervised by the people who set the standards it runs under. Read our full AI policy.
Did this article answer your question?

