CISA Tells US Agencies to Fix Security Bugs in as Little as 3 Days Thanks to AI Threats

CISA acting director Nicholas Andersen Photograph: Andrew Harnik/Getty Images Comment Loader Save Story Save this story Comment Loader Save Story Save this story With new generations of AI models fueling both rapid software vulnerability discovery and the potential for faster exploitation by malicious hackers, the United States Cybersecurity and Infrastructure Security Agency released a new directive on Wednesday that requires more rapid and efficient software patching by federal civilian agencies. The “binding operational directive” (BOD) lays out a rubric for how quickly bugs must be fixed based on four assessments of urgency, with a turnaround time in critical cases of just three days.

Chris Butera, CISA's acting executive assistant director for cybersecurity, told reporters on Wednesday that the goal of the directive is to help agencies prioritize, so they can address the most problematic vulnerabilities first while taking more time to remediate bugs that pose a less-pressing risk. The directive comes as private companies and governments have been scrambling to assess the extent of the cybersecurity reckoning that AI vulnerability and exploit development capabilities could unleash.

“Prioritizing IT and security operations attention on the most at-risk assets is particularly important now given advancements in artificial intelligence, which allow threat actors to find and exploit vulnerabilities in [federal] assets,” Butera said on Wednesday. “Defenders cannot afford to take weeks to patch systems that can be autonomously exploited en masse.”