U.S. federal civilian agencies must patch, disable, or isolate externally reachable critical vulnerabilities within 72 hours as attackers leverage AI for faster exploitation.