CISA Considers Sharply Shorter Deadlines to Fix Digital Flaws Amid Rising AI Cyber Threats

U.S. cybersecurity officials are considering slashing the standard deadline for fixing critical vulnerabilities in government IT systems from the current two-to-three-week window to just three days, according to sources familiar with the matter. The proposed change, being discussed by CISA acting chief Nick Andersen and national cyber director Sean Cairncross, is a direct response to the growing threat posed by advanced AI models such as Anthropic's Mythos and OpenAI's GPT-5.4-Cyber. These newer AI tools can identify previously unknown vulnerabilities or exploit freshly disclosed ones in a matter of hours, compressing what once took hackers months or weeks into a dramatically shorter timeline. Stephen Boyer, founder of Bitsight, which has worked with CISA on vulnerability cataloging, noted that defenders must now move much faster to protect civil agencies.

However, the accelerated timeline raises significant practical concerns. CISA has faced deep job cuts and government shutdowns under the Trump administration, reducing its capacity to enforce tighter deadlines. Nitin Natarajan, former deputy director of CISA, warned that the agency needs adequate resources to handle the strain. Kecia Hoyt of Flashpoint pointed out that patching software flaws often involves complex testing before deployment, making a three-day deadline impossible for some environments. John Hammond of Huntress said the change would be "quite a challenge" and only time will tell if the industry can keep up. The move is expected to set a precedent for state and local governments as well as private businesses, signaling that rapid response is now the new normal in an AI-accelerated threat landscape.