Growing concerns about artificial intelligence-powered cyberattacks have sparked new debate about how quickly organizations patch software vulnerabilities, including whether federal agencies should be required to meet patch deadlines in days rather than weeks.
Cyber experts say faster patching will often be necessary, especially given recent advances in AI. But many say shortening deadlines alone is unlikely to encourage quick repairs and could even be counterproductive in some cases.
In response to Anthropic’s Claude Mythos preview, Trump administration leaders are reportedly considering shortening the standard deadline for government agencies to patch common vulnerabilities and exposures (CVEs) listed in the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) Catalog.
According to Reuters, leaders from CISA and the Office of the National Cyber Director have discussed shortening the standard KEV deadline to three days instead of two to three weeks.
CISA did not respond to a request for comment regarding the KEV catalog deadline deliberations. However, all four entries CISA made to the KEV catalog between May 6 and May 14 had a three-day deadline.
Accelerating patching deadlines is likely to be difficult for many federal agencies. Hemant Vaidwan, former chief information security officer at the Department of Homeland Security, said changing the deadline to three days “wouldn’t be easy,” but added, “We need to do it.”
“I don’t think we can afford to wait for legacy remediation cycles and wait 30, 60, 120 days from mitigating security vulnerabilities to actually being done,” Baidwan, now executive CISO at security firm Knox Systems, told Federal News Network.
This urgency was fueled by previews of Claude Mythos. But Rob Joyce, former director of cybersecurity at the National Security Agency, said that “the risk environment has changed dramatically even before Mythos” because of large language models.
In a webinar hosted by SecureFrame this week, Joyce said AI systems are discovering software vulnerabilities on an “industrial scale.”
“Just because you have more people working on a problem doesn’t mean you’ll find bugs faster,” Joyce said. “Now that most of the discovery loop is done by machines, we can discover things faster.”
He recommended that organizations quickly upgrade legacy technologies that AI has proven adept at exploiting, with the understanding that “known vulnerabilities may be exploited.”
“Figure out how to patch faster and retire systems at the end of their useful life,” Joyce said. “The CISA KEV catalog is a big red flashing signal that tells you what’s being exploited and it’s coming to you.”
KEV timeline accelerates
Even before last month’s Mythos revelations, CISA was already reducing deadlines for government agencies to patch vulnerabilities posted to KEV.
So far in 2026, the average age of vulnerabilities listed in the KEV catalog is 14.4 days. Patch deadlines will average more than 20 days in 2024, compared to 19.7 days last year.
CISA created the KEV Catalog in 2021 to provide a repeatable mechanism for federal agencies to patch dangerous software bugs, rather than relying solely on one-time emergency directives.
The original goal was to have a standard deadline of two weeks or less. But authorities quickly realized that many agencies were missing deadlines, weeks or even months past, said Todd Beardsley, former director of vulnerability response at CISA and now vice president of research at security firm runZero.
“Paradoxically, shorter deadlines give us more time to patch,” Beardsley says.
“If you set a metric that says good before the deadline and bad after the deadline, you can’t fail any more once you miss the deadline,” Beardsley added.
CISA has set a three-week deadline to patch most CVEs between 2022 and 2025. Beardsley said that during his time at CISA, officials have found that two to three weeks is the “sweet spot” for most agencies.
However, starting in March of this year, CISA began setting most KEV deadlines to the 14th. And of the 61 vulnerabilities with patch deadlines of seven days or less in the catalog’s history, 25 occurred this year.
“It doesn’t go unnoticed that timelines are already being compressed,” Beardsley said.
A federal chief information officer, speaking on condition of anonymity because he was not authorized to speak publicly, acknowledged that the patching schedule “needs to be as close to immediate as possible.” Government agencies must “accelerate the prioritization and remediation of system vulnerabilities,” including by increasing the use of automation.
But the CIO said it’s important for agencies to prioritize issues that have real potential for exploitation within a particular IT environment.
“We’re fine with a faster schedule, but we also recognize that just because we have a CVE doesn’t mean it’s going to impact us,” the CIO said. “It also doesn’t mean there’s a ready-to-implement solution. I think adding overhead reporting or data calls is actually worse than a modified timeline. If you keep in mind the people who are actually doing the work, not writing the words, you shouldn’t have any problems.”
Baidwan said prioritization is important, especially in areas where AI is already increasing software vulnerabilities.
“The sooner we can do that, the sooner we can say, ‘CISA, we’re not going to fix this in three days, but I’ve already put this mitigation in place, so it’s going to be harder for an attacker to exploit,'” he said. “And in the meantime, I have already prioritized my resources to remediate the things that we are really vulnerable to and that could be exploited today.”
Beardsley said agencies that do good patch management tend to know what’s in their environments and develop strategies for updating and maintaining software, especially the “weird software” that some agencies rely on.
He also said CISA could drive new strategies and expertise in software lifecycle management.
“CISA is in a very unique position in that it advises and sometimes provides direction to 102 government agencies,” Beardsley said. “We narrow it down to one or two of them and see what works and what doesn’t. We can do this privately and create a report that says, ‘Here’s what we see that’s working. Here’s what’s not working. Here are the technology habits we see in successful agencies.'”
Copyright © 2026 Federal News Network. Unauthorized reproduction is prohibited. This website is not directed to users within the European Economic Area.
