The United States Cybersecurity and Infrastructure Security Agency (CISA) established the Known Exploited Vulnerabilities (KEV) catalog in November 2021 as a resource to aid federal agencies and the public in their efforts to defend against high-risk security flaws. In the past, the likely timeline for exploitation of these vulnerabilities has allowed defenders a meaningful response gap, making the CISA recommend remediation within two to three weeks. The underlying assumption was always that the cadence of policies could match the velocity of threats. This assumption has held for a while, but recent technological developments and threat trends have made it untenable.
The Models that Broke the Assumption
The advent of powerful AI models like Anthropic’s Claude Mythos and OpenAI’s GPT-5.4-Cyber has changed the landscape and prompted certain officials to propose that the two-week deadline that has historically held may no longer be effective. Autonomous binary analysis and generation of exploit chains at machine speed significantly reduce the time to exploit (TTE) on arising vulnerabilities, requiring tighter timelines for remediation in order to protect against evolving risks.
Data from VulnCheck’s State of Exploitation 2026 report shows that around 29% of KEVs identified in 2025 showed evidence of exploitation on or before the day that their CVE was published. This clearly demonstrates that the three-week remediation window is no longer effective for defending against modern and evolving exploitation technology and capabilities.
The Government’s Response: 72 Hours as the New Standard
Sources have told Reuters that acting CISA chief Nick Andersen and U.S. national cyber director Sean Cairncross have been discussing proposals to amend the remediation deadline down to three days. It is unclear whether these proposals have been approved or when a conclusion on the matter can be expected. This proposed change would tighten the remediation timeline from the two-week deadline set forth in Binding Operational Directive 22-01, which established the KEV catalog in 2021.
The precedent set forth by government agencies at the national level has the effect of signaling new standards for much broader adoption, influencing decisions, and becoming the de facto benchmark for state, local, and enterprise cybersecurity programs. If the proposal to reduce the federally mandated remediation window to three days is officially adopted, it will likely be implemented by many institutions and organizations nationwide.
Why the Mandate Arrives in a Moment of Institutional Weakness
The potential adoption of the three-day remediation window comes at a significant time for the agency, with CISA’s recent budget cuts and workforce reductions depleting the enforcement body just at the moment of escalation. Federal agencies are facing testing burdens, asset visibility gaps, and legacy system constraints that may render now an inopportune time to ramp up defense efforts.
The makeup of modern systems also means that tightening the remediation deadline may prove unfeasible for many organizations and agencies. IoT, OT, and ICS environments, which constitute huge portions of governmental and enterprise systems, are categorically more difficult to patch than standard IT environments, regardless of the timeline. Policies and execution of remediation efforts already struggle in many of these places, and reducing the time to remediate will pose additional challenges.
The Only Path Through: Automation as Operational Imperative
With the possibility of a new federally mandated three-day deadline, organizations are faced with the need to update their remediation cycles for evolving threats and security policies. AI-empowered threats require AI-enhanced defenses. It is crucial to implement AI-driven CI/CD pipelines that make use of automated testing, canary deployments, and rollback architecture at machine speed.
The non-negotiable foundation of modern security and vulnerability remediation is continuous asset inventory, as comprehensive visibility is a requirement for effective patching. “Unfortunately, most enterprises do not have continuous visibility into their attack surface, let alone the ability to prioritize and remediate vulnerabilities in near real time,” says Morey Haber, Chief Security Advisor at BeyondTrust. “Vulnerability scanning still occurs once a month or at best, once a week and some cases, still once a quarter.”
An amended remediation deadline can function to force compliance, with tighter mandates accelerating investment in the type of infrastructure that makes full compliance possible. This infrastructure is already mandated for the sufficient defense of government and enterprise systems, but many organizations still lack it. A federal mandate is a big push in the direction of building up the necessary architecture for fighting modern and evolving threats.
Defense Velocity Replaces Policy Cadence as the Measure of Program Maturity
The window of three days redefines cyber hygiene, shifting it from a periodic task to a real-time operational discipline. Tightening the remediation timeline without providing resources to aid in the implementation of the new deadline widens the gap between policy intent and organizational reality, highlighting the risk of adopting an unfunded mandate. The proposed new deadline is indicative of a much broader truth: in an AI-enabled threat landscape, the defining factor lies in how fast you can respond, not how well you’ve planned.
