AI drives new debate around CISA software patching deadlines

The Cybersecurity and Infrastructure Security Agency (CISA) has begun shortening deadlines for federal agencies to patch software vulnerabilities listed in its Known Exploited Vulnerabilities (KEV) catalog, a move influenced by rising concerns over AI-driven cyber attacks. This year, the average deadline for patching KEV-listed vulnerabilities stands at 14.4 days, down from 19.7 days in 2025 and over 20 days in 2024, reflecting a trend toward faster responses. Discussions among CISA and the Office of the National Cyber Director have reportedly centered on cutting the standard KEV deadline to three days, a shift prompted partly by Anthropic’s Claude Mythos preview. All KEV entries added between May 6 and May 14 already carried three-day deadlines, signaling a potential policy change. However, experts like Hemant Baidwan, former CISO at the Department of Homeland Security, caution that a three-day timeline would be difficult for agencies to meet, though necessary given the evolving threat landscape. Rob Joyce, former cybersecurity director at the National Security Agency, emphasized that AI systems are now identifying vulnerabilities at an unprecedented scale, rendering traditional remediation cycles obsolete. He urged organizations to prioritize patching legacy systems and decommissioning outdated technologies, warning that known vulnerabilities will be exploited more aggressively. Joyce noted that the KEV catalog serves as a critical alert system, signaling imminent threats to agencies. CISA introduced the KEV catalog in 2021 to standardize vulnerability patching, initially aiming for two-week deadlines. However, agencies frequently missed these targets, often delaying patches by weeks or months. Tod Beardsley, a former CISA vulnerability response section chief, observed a paradox: shorter deadlines can inadvertently extend patching timelines due to operational challenges. Despite this, the urgency of AI-driven threats has pushed CISA to push for faster responses, even as agencies grapple with implementation. The shift reflects broader concerns about AI’s role in accelerating cyber threats, with large language models enabling rapid vulnerability discovery. Experts agree that organizations must adapt by upgrading outdated systems and improving patching efficiency, though the transition to stricter deadlines will require significant adjustments in federal cybersecurity practices.