CISA considers 3-day KEV deadline

Federal patching policy is suddenly the interesting part of cybersecurity. The reason is simple — CISA is reportedly weighing whether agencies should get three days, not two or three weeks, to fix vulnerabilities that are already being exploited in the wild. That would be a real shift for the federal government, because KEV deadlines are not advisory. They are mandatory for civilian agencies. The catch is that “faster” sounds obvious until you think about what patching a giant federal network actually involves. (scworld.com) ### What is a KEV, exactly? A KEV is a Known Exploited Vulnerability — basically a software or hardware flaw that CISA believes is not just theoretical but already being used by attackers in real-world intrusions. CISA’s KEV catalog is the government’s running list of those flaws, and agencies use it to prioritize what gets fixed first. Under Binding Operational (scworld.com)e CISA sets. (cisa.gov) ### What changed this week? The new piece is the reported internal discussion about shrinking the normal KEV remediation window to three days. The people named in that discussion are acting CISA director Nick Anderson and national cyber director Sean Cairncross. But this is still in the “being discussed” stage — CISA has not publicly issued a new directive changing BOD 22-01 across the board. (scworld.com) ### Why does three days matter so much? Because it changes the operating model, not just the calendar. A two-week window gives agencies some room to test patches, schedule downtime, check dependencies, and avoid breaking production systems. A three-day window pushes them toward emergency mode much more often — faster asset discovery, faster validation, faster approvals, and probably more automation. That is doable for some environments, but not painless. (scworld.com) ### Haven’t some KEVs already had three-day deadlines? Yes — and that is an important nuance. CISA has already used very short deadlines for especially urgent cases. In February, for example, it gave agencies three days to address Dell RecoverPoint flaw CVE-2026-22769 after adding it to the KEV catalog, and reporting at the time noted another three-day deadline f(scworld.com)make that pace much more normal. (bleepingcomputer.com) ### Why is CISA even considering this? The logic is pretty direct — if attackers can weaponize vulnerabilities faster, defenders need to compress response time too. Reporting around the discussion ties some of that urgency to more capable AI-assisted exploit development, which officials and security vendors think could shorten (bleepingcomputer.com)ar: time-to-exploit keeps getting shorter. (scworld.com) ### So would every agency be ready for this? Probably not. Even people sympathetic to the idea are warning that many organizations still lack the automation, asset visibility, and testing discipline needed to patch at that speed without causing outages or shipping incomplete fixes. That is the real tension here — the government may be right that the threat clock has sped up, but the remediation machinery has not fully caught up. (scworld.com) ### Does this affect everyone? Formally, BOD 22-01 applies to federal civilian executive branch agencies, not the whole private sector. But the KEV catalog already influences patching priorities far beyond Washington, because it is one of the clearest public signals that a bug is under active attack. If CISA really moves to a default three-day expectation, plenty of private-sector security teams will treat that as a benchmark too. (cisa.gov) ### Bottom line? This is not a new rule yet. But it is a clear sign of where federal cyber policy may be heading — toward treating actively exploited flaws as a three-day problem by default, not a two-week one. (scworld.com)