CISA shortens patch deadlines to days

The Cybersecurity and Infrastructure Security Agency has begun assigning three-day remediation windows to some newly added Known Exploited Vulnerabilities, according to recent entries in its public catalog and reporting on internal administration discussions. The shorter deadlines apply through CISA’s existing KEV process, which federal civilian agencies already use to prioritize fixes for flaws under active exploitation. The move has not yet been announced as a formal rewrite of Binding Operational Directive 22-01, but recent catalog entries show the tighter timetable in practice. Reuters and Federal News Network reported that the discussions are tied to concerns that newer artificial-intelligence systems can find and weaponize software flaws faster than older patch cycles assumed. ### Where does the three-day deadline show up? CISA’s KEV catalog currently shows several May 2026 additions with due dates three days after they were posted. A BerriAI LiteLLM SQL injection flaw, CVE-2026-42208, was added on May 8 with a due date of May 11, according to the catalog. An Ivanti Endpoint Manager Mobile flaw, CVE-2026-6973, was added on May 7 with a due date of May 10. (cisa.gov) A May 14 CISA alert added Cisco Catalyst SD-WAN Controller authentication bypass vulnerability CVE-2026-20182 to the KEV catalog and said federal civilian executive branch agencies must remediate listed vulnerabilities by the due date. The public alert did not restate the exact deadline in the excerpted notice, but the catalog and adjacent May entries show the agency using compressed windows for recent additions. (cisa.gov) ### Is this a new rule or a faster use of the old one? Binding Operational Directive 22-01 dates to November 3, 2021, and already gives CISA authority to maintain a living catalog of exploited vulnerabilities and set remediation requirements for federal civilian agencies. The directive says agencies are required to comply with DHS-developed directives and that CISA establishes requirements for agencies to remediate vulnerabilities included in the catalog. (cisa.gov) Federal News Network reported on May 14 that CISA this year had already started accelerating deadlines for agencies to patch software bugs posted to the KEV catalog. Reuters reported on May 1 that CISA and the Office of the National Cyber Director were discussing whether to cut the standard deadline for actively exploited vulnerabilities from roughly two to three weeks to three days, according to people familiar with the matter. Reuters said it could not establish whether a final decision had been made or when one might come. (cisa.gov) ### Who is discussing the change inside the government? Reuters reported that Sean Cairncross, the U.S. national cyber director, and Nick Andersen, then acting head of CISA, were discussing the shorter deadlines. CISA and the Office of the National Cyber Director did not immediately comment to Reuters, according to that report. (federalnewsnetwork.com) Federal News Network said the deliberations followed concern inside the Trump administration about AI-assisted hacking and cited Anthropic’s Claude Mythos preview as a catalyst for the debate. That report also quoted former National Security Agency cybersecurity director Rob Joyce saying large language models were finding software vulnerabilities “at industrial scale.” (usnews.com) ### Why are AI systems part of this patching debate? Anthropic published its Claude Mythos Preview assessment on April 7, 2026, describing the model as a new general-purpose system with strong cybersecurity capabilities. Reuters and other outlets have tied the administration’s patch-deadline debate to broader concern that frontier AI models can compress the time between vulnerability discovery and exploitation. (federalnewsnetwork.com) Rob Joyce said during a Secureframe-hosted webinar this week that AI systems are finding bugs faster because “the discovery loop is now mostly machine,” according to Federal News Network. Hemant Baidwan, a former Department of Homeland Security chief information security officer now at Knox Systems, told the outlet that moving to a three-day deadline “is not going to be an easy thing,” though he said agencies no longer had the luxury of waiting through older remediation cycles. (red.anthropic.com) ### What does this change for federal teams and contractors? BOD 22-01 applies to federal information systems managed on agency premises or hosted by third parties on an agency’s behalf, CISA says. That means the operational effect reaches beyond agency-owned infrastructure to systems run by vendors and service providers supporting federal workloads. (federalnewsnetwork.com) CISA says organizations should use the KEV catalog as an input to vulnerability-management prioritization, and it continues to publish additions through alerts and the catalog page itself. As of May 16, 2026, the KEV catalog page showed 1,590 entries, providing the public record agencies and contractors can monitor for newly added flaws and due dates. ### What should readers watch next? (cisa.gov) CISA’s next KEV additions will show whether three-day due dates remain the norm for newly listed exploited flaws. The agency posts those updates on its KEV catalog page and through dated alerts, including the May 14, 2026 notice for CVE-2026-20182. (cisa.gov)