CISA is reportedly considering reducing the remediation deadline for critical known-exploited vulnerabilities from 14 days to just 72 hours, driven by concerns that AI models like Anthropic's Claude Mythos could accelerate attacker exploitation of flaws. The current framework under BOD 22-01 requires patching KEV-listed vulnerabilities within 14 days. Security experts are divided: some argue three days is impractical without proper testing infrastructure, while others say agencies already capable of meeting 14-day deadlines could adapt. The change remains unconfirmed but involves senior officials including CISA's acting chief and the US national cyber director.
Sort: