CISA moves to 2‑hour KEV triage, eyes 3‑day federal remediation window

Federal vulnerability management sounds bureaucratic. But the thing CISA is messing with here is basically the government’s emergency brake for software flaws that are already being exploited in the wild. If that brake gets pulled faster, agencies have less time to debate and more pressure to patch. That is the news this week — CISA and the Office of the National Cyber Director are discussing whether to slash the normal federal deadline for KEV fixes to just 3 days. (scworld.com) ### What is KEV, exactly? KEV is CISA’s Known Exploited Vulnerabilities catalog — the federal list of CVEs that are not hypothetical anymore. These are flaws with evidence of real-world exploitation, and CISA tells agencies to use the catalog as a top input for patch prioritization. The catalog is big now — more than 1,500 entries — which tells you how much of mod(scworld.com)t victims?” (cisa.gov) ### What changed this week? The change is not final policy yet. But multiple outlets carrying Reuters’ reporting say CISA Acting Director Nick Anderson and National Cyber Director Sean Cairncross are discussing moving federal civilian agencies from an average 2-to-3-week KEV remediation window down to 3 days. That is a huge compression — not a tweak. (scworld.com) they pushing now? The short version is speed. Officials are reacting to the idea that newer AI systems can help find, analyze, and even build exploit chains much faster than human-led workflows used to. If attackers can go from disclosure to usable exploit in hours or a day, a 2-week patch clock starts to look leisurely in the worst possible way. (scw([scworld.com) What is the current baseline? Right now, the baseline is already faster than normal enterprise patching, but not anywhere near 3 days. CISA’s KEV process under BOD 22-01 requires Federal Civilian Executive Branch agencies to remediate by the listed due date, and recent reporting says the catalog typically gives about 3 weeks, with some cases shortened sharply. (scworld.com)d on April 30 had a May 3 due date. (cisa.gov) ### Haven’t they already used emergency timelines? Yes — and that is part of why this story matters. CISA has increasingly folded urgent patching into the KEV system instead of relying only on one-off emergency directives. In 2025 it issued a 24-hour deadline for a severe Citrix flaw, and in January 2026 it said older emergency directives could be ret(cisa.gov)h is starting to look more like the default path. (therecord.media) ### Why is 3 days such a hard target? Because patching is never just “install update, done.” Agencies first have to know where the vulnerable product exists, whether it is internet-facing, whether a patch breaks something mission-critical, and whether cloud or contractor-owned systems are in scope. A 3-day rule would reward agencies that already have real-time asset visibility and au(therecord.media)anagement. That is the real subtext here. (scworld.com) ### Does this affect only government? Formally, BOD 22-01 applies to federal civilian agencies. But CISA explicitly urges all organizations to use KEV for prioritization, and private companies often mirror federal practice because the catalog is one of the clearest signals that a bug is worth immediate attention. So even if the 3-day rule lands only on agencies, vendors, contractors, and big enterprises will feel the pressure. (cisa.gov) ### Bottom line? This is CISA trying to drag patching into attacker time, not defender time. The proposal is still just a proposal. But if 3 days becomes the norm for KEV fixes, the real story will not be the deadline — it will be the forced jump to automation, asset visibility, and much less tolerance for slow patch cycles. (scworld.com)