Federal cybersecurity authorities are exploring dramatically reducing the time government agencies have to repair critical computer system vulnerabilities, according to sources with knowledge of the discussions. The proposed changes come as officials grow increasingly worried about hackers leveraging advanced artificial intelligence capabilities to launch attacks.
The potential policy shift would reduce the current two-week timeframe for addressing actively exploited security weaknesses to just three days, sources revealed. This represents the first public disclosure of these deliberations.
Growing alarm surrounds the capabilities and widespread availability of AI systems like Anthropic’s Mythos and OpenAI’s GPT-5.4-Cyber. While cybercriminals have utilized AI technology since 2023, these latest iterations reportedly can rapidly discover unknown security gaps or quickly weaponize newly revealed vulnerabilities for sophisticated cyber operations. What previously required hackers months, weeks, or days to accomplish can now be done in hours in certain situations.
This acceleration is forcing cybersecurity professionals to dramatically increase their response speed, according to Stephen Boyer, who founded cybersecurity firm Bitsight and has previously assisted CISA in documenting vulnerabilities.
“If you’re going to protect civil agencies, you’re going to have to move faster,” Boyer explained. “We don’t have as much of a window as we used to have.”
Two informed sources indicated that Nick Andersen, who currently leads the Cybersecurity and Infrastructure Security Agency, and Sean Cairncross, the national cyber director, are examining these deadline modifications. Reuters was unable to confirm whether officials have reached a final determination or establish a timeline for any decision. Both CISA and the Office of the National Cyber Director have not yet provided statements.
For several years, CISA has maintained a database of known and exploited vulnerabilities, commonly called KEVs, which receive priority status because they are publicly known and actively targeted by criminals or foreign intelligence operatives. Current policy typically allows civilian government departments two weeks to address such security flaws after they appear in the database. While deadlines are sometimes shortened for exceptionally severe threats, the new proposals would establish three days as the standard timeframe, sources indicated.
These CISA conversations occur as corporate executives and cybersecurity professionals wrestle with consequences from increasingly sophisticated AI releases. Banking sector leaders have been particularly affected as regulatory agencies rush to assess the potential dangers of this emerging technology.
Stricter CISA deadlines will probably influence standards for state and local governments, private companies, and other organizations, said Nitin Natarajan, who previously served as CISA’s deputy director during the Biden administration.
“This is a signal to others that says, ‘Hey you need to do this more quickly,’” he noted.
Natarajan, who currently operates cyber consulting firm NN Global, believes accelerating these deadlines makes sense given the rapid advancement of AI-enabled threats. However, he cautioned that CISA requires adequate resources to manage the pressure of compressed timelines, particularly after experiencing significant staff reductions and disruptions from government shutdowns during the Trump presidency.
“We’ve seen a reduction in their resources, both in funding and expertise,” Natarajan observed.
Kecia Hoyt, a vice president at threat intelligence company Flashpoint, emphasized that fixing software vulnerabilities often involves complex procedures requiring extensive testing before implementation. “Realistically, three days is simply impossible for some environments,” she stated.
John Hammond, senior principal security researcher at Maryland-based Huntress, described the potential shift from two weeks to three days as “quite a change.” Although he expressed cautious optimism about faster operations, he added that “only time will tell how well the industry keeps up.”
