The US cyber defence agency said that government officials now have three days to deal with the most serious categories of digital vulnerabilities in their networks, a compressed timeline that is due in part to hackers' use of artificial intelligence.
The deadline, which was set in a new directive issued by the Cybersecurity and Infrastructure Security Agency, obligates civilian federal agencies with vulnerable software or equipment to fix, disable, or remove it from the internet within three calendar days, depending on the severity of the threat.
Many cyber experts worry that new, more advanced AI models along the lines of Anthropic's Mythos are supercharging hackers' abilities to take advantage of digital vulnerabilities across the internet, forcing tech workers to plug security holes almost as soon as they are discovered.
"Defenders cannot afford to take weeks to patch systems that can be autonomously exploited en masse," CISA acting executive assistant director for cyber security Chris Butera told reporters.
He said the directive was "an initial step to counter the increased capabilities of those emerging AI models."
Reuters first reported last month that US officials were considering the adoption of a three-day deadline to deal with potentially dangerous flaws.
Even under the new directive, there is still more time to deal with less severe weaknesses, such as ones that are not easy for hackers and cybercriminals to automate, or do not concern publicly exposed digital infrastructure.
An appendix to the order leaves two weeks to deal with many vulnerabilities and as long as two months for the least serious category of flaw.
.jpg&h=140&w=231&c=1&s=0)
iTnews State of Security Breakfast
iTnews State of Data & AI Breakfast
The 2026 iAwards
.jpg&w=120&c=1&s=0)
Integrate 2026
Security Exhibition & Conference
_(1).jpg&h=140&w=231&c=1&s=0)
