The Bottom Line: U.S. federal civilian agencies must patch, disable, or isolate externally reachable critical vulnerabilities within 72 hours as attackers leverage AI for faster exploitation.
The U.S. cybersecurity agency CISA has issued a binding directive for federal civilian agencies that limits the remediation of critical, externally accessible security vulnerabilities to three calendar days. The reason is the increasing automation of exploits through AI-powered attack techniques.
CISA’s new directive requires departments and agencies to remediate, disable, or take offline critical security vulnerabilities that are directly exploitable over the internet within three calendar days. This significantly shortens the previous response time, as IT departments previously had longer periods available.
The background to this measure is the increasing automation of exploits by cybercriminals using powerful AI models such as Claude from Anthropic. These enable attackers to exploit newly discovered security vulnerabilities in an automated fashion and considerably faster than before. Chris Butera, acting deputy executive director for cybersecurity at CISA, emphasizes: “Defenders cannot afford to take weeks to patch systems that can be exploited autonomously at scale.”
CISA applies a tiered deadline structure. The three-day deadline applies exclusively to the most severe categories of vulnerabilities with direct internet exposure. For less critical security risks that are not easily automated or not directly exposed, the regulation grants between two weeks and up to 60 days depending on the risk level. For CISOs, this means a dramatic increase in organizational pressure when prioritizing patches and managing vulnerabilities.
Source: www.it-daily.net · Published 11 June 2026
Lumi AI News — AI-assisted curation per Art. 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.6.5.