US cybersecurity officials are considering drastically shorter deadlines for fixing critical security flaws in government IT systems, driven by concerns that hackers are using advanced AI tools to exploit vulnerabilities faster than ever before.
The proposed changes would cut the current deadline for responding to actively exploited vulnerabilities from an average of two to three weeks down to just three days, according to sources familiar with the matter. The discussions involve Nick Andersen, acting chief of the Cybersecurity and Infrastructure Security Agency (CISA), and Sean Cairncross, the US national cyber director.
The urgency stems from the growing power of AI models like Anthropic’s Mythos and OpenAI’s GPT-5.4-Cyber, which can identify previously unknown vulnerabilities or quickly exploit newly disclosed ones. While hackers previously needed months, weeks, or days to take advantage of software flaws, these advanced AI tools have compressed that timeframe to hours in some cases.
This shift represents a fundamental change in the cybersecurity landscape. CISA has maintained a catalog of known-and-exploited vulnerabilities (KEVs) for years, typically giving civilian agencies three weeks to fix such flaws once they’re added to the database. That deadline has already been tightened to around two weeks recently, but the new proposal would dramatically accelerate the timeline.
The banking industry has been particularly affected by these developments, with regulators scrambling to understand how dangerous the new AI technology could be for financial institutions. The compressed timeline reflects a broader recognition that traditional cybersecurity approaches may not be adequate against AI-powered threats.
Stephen Boyer, founder of cybersecurity company Bitsight, which has helped CISA catalog vulnerabilities, emphasized the new reality: “If you’re going to protect civil agencies, you’re going to have to move faster. We don’t have as much of a window as we used to have.”
The implications extend far beyond federal agencies. Nitin Natarajan, who served as deputy director of CISA under former President Joe Biden, expects these changes to influence other organizations:
- State and local governments will likely follow CISA’s lead
- Private businesses may face similar pressure to accelerate their response times
- The new standards could become the industry benchmark
“This is a signal to others that says, ‘Hey you need to do this more quickly,'” Natarajan said.
However, experts warn that the proposed timeline may be unrealistic for many organizations. CISA itself has been weakened by job cuts and government shutdowns under President Donald Trump, raising questions about whether the agency has sufficient resources to handle the increased pressure.
Kecia Hoyt, vice president at threat intelligence firm Flashpoint, highlighted the practical challenges: “Realistically, three days is simply impossible for some environments.” She noted that patching software flaws often requires detailed testing before deployment to avoid creating new problems.
The cybersecurity industry is already struggling to keep pace with AI-powered threats. John Hammond, senior principal security researcher at Huntress, called the three-day deadline “quite a change” and expressed cautious optimism while acknowledging uncertainty: “Only time will tell how well the industry keeps up.”
The proposed changes reflect broader concerns about AI’s impact on cybersecurity. While hackers have been using AI since at least 2023, the latest generation of models represents a significant escalation in capability. These tools can automate complex hacking operations that previously required significant human expertise and time.
The timeline for implementing these changes remains unclear, with no final decision announced yet. The discussions highlight the challenge facing cybersecurity professionals: balancing the need for speed against the reality of organizational constraints and the complexity of properly securing digital infrastructure.
