CISA directive revamps how agencies prioritize vulnerable systems

The Cybersecurity and Infrastructure Security Agency released a binding directive Wednesday requiring federal agencies to rethink how they prioritize vulnerability fixes across government networks.

The directive sets remediation deadlines based on several factors, including whether a flaw is publicly exposed, already known to be exploited, automatable by attackers or capable of giving hackers control of an affected system.

It establishes new timelines to patch security flaws, from three days for the highest-risk vulnerabilities to 60 days for lower-priority items. Some vulnerabilities that are not publicly exposed, not known to be exploited and not automatable by adversaries can be deferred until the affected system receives a scheduled major upgrade.

The policy marks a significant shift in federal cyber management by pushing agencies to focus remediation resources on flaws that could be the most impactful if leveraged by hackers, rather than treating all vulnerabilities as equally urgent. 

The move is also part of CISA’s response “to the current threat landscape where AI software services can assist threat actors to find and exploit vulnerabilities,” the agency says.

“CISA is leading and collaborating with federal civilian agencies to stay ahead of our adversaries as tactics, technologies and vulnerabilities change,” agency acting director Nick Andersen said in a statement. “While this directive is a mandate for federal agencies, CISA strongly encourages all partners to adopt similar actions in their vulnerability management policy.”

The directive is an acknowledgment that agencies cannot protect every system equally through patch mandates and must instead focus their often limited resources on the vulnerabilities and networks whose compromise could cause the greatest damage. Federal agencies are a constant target for hackers because of the sensitive data often stored on their networks.

In an initial analysis at one large civilian agency, CISA found that “only 1% of vulnerability instances fall into the three-day category,” while more than 60% could be deferred until the next system upgrade, according to a blog post by Chris Butera, the agency’s acting executive assistant director for cybersecurity, and Jonathan Spring, a senior technical adviser.

In a call with reporters, Butera said that CISA has engaged with others in the government and that officials hope the move “will not require additional work” for agencies but help them better prioritize patching.

“We do believe the agencies should be able to meet the three-day deadline,” he said when asked whether the directive’s patching mandates are realistic. “Why we didn’t choose, for example, a 24-hour deadline, is because we think three days is a deadline that is both fast and agencies will be able to meet it.”

The administration’s AI posture has evolved in recent months as officials grapple with cyber-focused models that can quickly surface weaknesses across computer networks.

President Donald Trump recently signed an AI security executive order encouraging developers to submit powerful new models for a 30-day government review before public release. He also signed a separate memorandum aimed at accelerating the government’s use of advanced AI across the military and intelligence community.

On Wednesday, Senate Intelligence Committee Vice Chairman Mark Warner, D-Va., introduced legislation requiring the CISA to update cybersecurity plans for each of the nation’s 16 critical infrastructure sectors, citing concerns that fast-evolving AI tools will accelerate threats to essential services, Nextgov/FCW first reported.