ai risk today logo svg bl font
Menu
SUBSCRIBE
SUBSCRIBE
ai risk today logo svg bl font
Menu
CISA Sets 3-Day Patch Mandate for Federal Agencies’ Most Dangerous Vulnerabilities
CISA’s new directive gives federal agencies as little as three days to patch the most dangerous software vulnerabilities. (image credit: CISA)

CISA Sets 3-Day Patch Mandate for Federal Agencies’ Most Dangerous Vulnerabilities

Federal agencies will have as little as three days to patch software vulnerabilities deemed most dangerous by CISA.

 

The Cybersecurity and Infrastructure Security Agency (CISA) issued a new directive requiring federal civilian agencies to fix the most dangerous software vulnerabilities within three days.

The directive, known as BOD 26-04, changes how federal agencies decide which software vulnerabilities need immediate attention. Instead of relying primarily on technical severity scores, CISA will now prioritize vulnerabilities based on their likelihood of being exploited by attackers and the damage they could cause.

Under the new system, agencies must fix the highest-risk vulnerabilities within three calendar days. Other vulnerabilities will have deadlines of 14 or 30 days depending on the level of risk identified by CISA.

CISA said the change is necessary because attackers are moving more quickly than ever. The agency specifically pointed to advances in AI that are helping attackers discover and target software vulnerabilities faster, reducing the time organizations have to respond.

“Defenders cannot afford to take weeks to patch systems that can be autonomously exploited en masse,” said Chris Butera, CISA’s acting executive assistant director for cybersecurity, in a Reuters interview.

According to CISA, technical severity scores do not always reflect the actual danger posed by a vulnerability. Some highly rated vulnerabilities may never be exploited by attackers, while lower-rated vulnerabilities can become serious threats if actively targeted.

The new directive is designed to help agencies focus their resources on the vulnerabilities most likely to be used in real-world attacks.

Federal agencies must begin using the new approach immediately. CISA said the directive will create a more consistent process across government while helping agencies respond more quickly to emerging threats.

While the directive applies only to federal civilian agencies, it reflects a broader shift in cybersecurity. Organizations are increasingly looking beyond technical ratings and focusing on which vulnerabilities attackers are actually exploiting.

Clayton Rifkind

Clayton Rifkind is the Founder and Senior Editor of AI Risk Today. He also advises on content development for esgtoday.com, a leading source of ESG investment news and research for institutional investors and corporate leaders. He has 20+ years experience in B2B technology marketing, leading strategy and execution of go-to-market plans across software, enterprise platforms, and mobile applications. He also founded two marketing consultancies, advising startups and Fortune 1000 companies, including Autodesk, Intel, and Microsoft. Clayton began his career in the San Francisco advertising scene, working with brands such as Hewlett-Packard, Intel, Microsoft, Symantec, and Wells Fargo.

Essential AI Risk Intelligence

Daily insights on AI governance, regulation, and enterprise risk management. Trusted by Chief Risk Officers and compliance leaders globally.

SUBSCRIBE

By subscribing, you agree to receive our daily newsletter. Unsubscribe anytime.

Advertise with AI RIsk Today, Today!