US cybersecurity officials are actively evaluating a reduction in federal vulnerability patching deadlines from the current 14-to-21-day window to three days for actively exploited vulnerabilities. CISA acting director Nick Andersen and National Cyber Director Sean Cairncross have both referenced the proposal in recent briefings. The stated driver is AI: automated exploit development tools now compress the time between CVE publication and weaponized exploitation to hours, not weeks. The window that 14 days was designed to protect no longer exists.
The proposal affects all federal civilian executive branch agencies subject to BOD 22-01, which established the Known Exploited Vulnerabilities catalog. It would also set a precedent that regulated industries and critical infrastructure operators would face pressure to match. The pushback from enterprise IT teams has been immediate and pointed: three days is not operationally achievable for most complex environments.
The AI Justification Is Well-Founded
The threat timeline compression argument is not hypothetical. Multiple research groups have demonstrated AI-assisted exploit development producing functional proof-of-concept code within hours of CVE publication. Academic research published in early 2026 showed LLM-assisted exploit generation achieving functional exploitation of disclosed vulnerabilities in under four hours for a significant subset of high-severity CVEs, compared to days or weeks using traditional manual methods.
Operational evidence supports this. The BeyondTrust remote access appliance flaw disclosed in February 2026 saw active exploitation begin within 36 hours of the CVE going public. CISA used that incident as an informal test of the 3-day concept, pushing emergency remediation guidance to federal agencies within 24 hours of disclosure. The exercise revealed both the validity of the concern and the operational reality: many agencies could not comply within three days regardless of the urgency signal.
BOD 22-01 currently requires federal agencies to patch KEV catalog entries within 14 days for internet-facing systems and 21 days for internal systems. The proposed change would reduce both to 3 days for any vulnerability with confirmed active exploitation. CISA has not announced a formal rulemaking timeline.
Why Three Days Is Not Operationally Achievable
The objections from enterprise IT and security teams are not about willingness. They are about process reality. A credible patch deployment cycle in a complex environment involves: vendor patch validation against production configurations, testing in a staging environment representative of production, change advisory board review and approval, maintenance window scheduling, phased rollout starting with non-critical systems, and rollback preparation. None of this is bureaucratic excess. All of it exists because failed patches cause outages that in critical infrastructure cause real-world harm.
Three days is the total available time. In a 24x7 operation with staff available around the clock and a mature patch management infrastructure, it might be achievable for a specific, well-understood vulnerability class affecting a limited number of systems. For an agency running legacy systems, mixed vendor environments, and change control boards that meet weekly, it is not.
The Gap Is the Real Problem
The policy debate over 3 days versus 14 days misses the structural issue. Patching infrastructure, meaning the processes, tooling, staffing, and governance that actually get patches deployed, has not kept pace with the threat timeline. Changing the number on the deadline does not change the operational reality on the ground. Agencies that cannot currently patch in 14 days will not be able to patch in three days because the deadline changed.
What would actually close the gap: investment in automated patch testing infrastructure, pre-approved emergency patching procedures that bypass standard change control for CISA KEV entries, maintained and tested rollback capability that makes fast deployment less risky, and asset inventory accurate enough to know in real time what is exposed when a new CVE drops. These are the prerequisites for sub-week patching. Without them, shortening the deadline produces compliance theater, not reduced exposure.
For critical infrastructure operators specifically, the stakes are higher and the constraints more severe. An ICS or SCADA environment may not have vendor-validated patches available within three days, may lack tested rollback capability, and may not be able to schedule maintenance windows on that timeline without operational impact. The 3-day standard designed for federal IT networks will not translate cleanly to operational technology environments.
The right response to AI-compressed exploit timelines is to build patching infrastructure that can actually move faster, not to mandate speed that current infrastructure cannot deliver. The mandate can come later. The infrastructure investment needs to come first.
If a 3-day mandate lands, will your patch process survive it?
RedEye Security assesses patch management maturity for federal contractors and critical infrastructure operators, identifying the gaps between current capability and emerging compliance requirements.
Talk to us