"A move from two weeks to three days reflects a fundamental shift in the threat landscape, driven by AI’s ability to accelerate vulnerability discovery and exploitation," Matthew Hartman, Chief Strategy Officer at Merlin Group, said.
What U.S. cyber officials are considering and why it matters
Reuters reported that United States cyber officials are weighing a proposal to shorten the government’s average remediation timeline for critical vulnerabilities from two to three weeks down to three days. The shift follows public releases of Anthropic’s Claude Mythos and OpenAI’s GPT-5.4-Cyber, developments that security leaders cited as accelerating attackers’ ability to find and weaponize flaws.
Morey Haber: vendor timelines, testing, and the operational physics
Morey Haber, Chief Security Advisor at BeyondTrust, framed the proposal as "not just an aggressive policy" but a recognition that "the threat landscape has fundamentally changed." He warned that AI now enables rapid discovery and weaponization — “what once took weeks for a discovered vulnerability to be weaponized with a reliable working exploit now takes merely hours.”
Haber emphasized practical constraints: vendors and open-source communities may not produce tested patches within compressed windows, and many organizations rely on lengthy approval chains. He listed necessary steps that lengthen remediation — asset discovery, impact analysis, regression testing, change management, outage coordination and regulatory validation — and noted that for critical infrastructure and financial systems a patch often is delayed because of downtime and reboot requirements.
Operational readiness: automation, visibility, and staff capacity
Several experts agreed that closing the proposed three‑day gap will hinge on automation and real‑time visibility. Hartman said most organizations “are not yet equipped to safely validate, prioritize, and remediate critical or actively exploited vulnerabilities at that pace” without risking service disruption or incomplete fixes. He called for “sharper prioritization, along with significant investment in automation and real-time asset visibility.”
Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, characterized three days as “a business continuity objective” rather than merely a technical mandate. Ford warned that organizations built around two‑week approval chains will find those chains produce liability and extended exposure, and he urged a shift from periodic reviews to “continuous adversarial testing as an operational baseline.”
Louis Eichenbaum and John Gallagher: containment and non‑IT systems
Louis Eichenbaum, Federal CTO at ColorTokens, argued that patching alone is insufficient and urged containment strategies such as microsegmentation. He said a significant portion of federal environments — notably legacy and OT systems — “cannot be patched quickly, and in some cases cannot be patched at all without risking mission disruption.” Microsegmentation, he suggested, “reduces the blast radius of exploitation and provides enhanced visibility into vulnerable assets” while buying time to modernize on operational schedules.
John Gallagher, Vice President of Viakoo Labs at Viakoo, said CISA’s proposal “reflects the reality that the speed of AI‑driven cyber‑attacks provide threat actors a clear advantage.” He underscored that the hardest impact will be on OT, IoT, and ICS environments, where “patching and remediation processes are different and more complex than IT environments.” Gallagher noted that methods exist for rapid IT patching via automation, but the proposal should direct more focus to practical methods operators of non‑IT systems can use.
How federal CIOs and CISOs, vendors and open‑source maintainers, and enterprises are positioned
- Federal CIOs and CISOs: They will be pushed to accelerate automated remediation and risk‑based prioritization. Hartman said many CIOs and CISOs lack the tooling today to validate and remediate at three‑day speed without risking service disruption.
- Vendors and open‑source maintainers: Haber warned that compressed deadlines assume patches exist and are sufficiently tested; maintainers may not be able to deliver rapid, quality fixes and risk introducing regressions if rushed.
- Enterprises and operators of OT/IoT/ICS: Gallagher and Eichenbaum highlighted that non‑IT systems often cannot be patched quickly; these operators will need containment measures such as microsegmentation and pre‑staged remediation lanes to avoid mission disruption.
Where the proposal leaves questions
Experts across the board accepted the premise that AI has shortened the attacker’s tempo, but they diverged on how achievable a three‑day deadline is in practice. Collin Hogue‑Spears, Senior Director of Solution Management at BlackDuck, summarized the dilemma: “Three days is not a magic number. It is a deadline that admits attackers work in hours.” Hogue‑Spears argued the real work is not in setting the clock but in pre‑staging remediation lanes — named owners, automated rollback testing, inventories and pre‑approved compensating controls — so the first meaningful decision does not arrive after the clock starts.
The proposal shifts where the burden falls: toward automation, continuous visibility, and containment strategies for systems that cannot be patched quickly. Whether agencies, vendors, and enterprises can make those investments in time is the practical question the policy now forces into plain view.
Source: SecurityMagazine — Security Experts Discuss Proposed Government Patching Deadlines
