{"id":214100,"date":"2026-05-14T18:38:00","date_gmt":"2026-05-14T22:38:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/14\/ai-drives-new-debate-around-cisa-software-patching-deadlines\/"},"modified":"2026-05-14T18:40:08","modified_gmt":"2026-05-14T22:40:08","slug":"ai-drives-new-debate-around-cisa-software-patching-deadlines-2","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/14\/ai-drives-new-debate-around-cisa-software-patching-deadlines-2\/","title":{"rendered":"AI drives new debate around CISA software patching deadlines"},"content":{"rendered":"

AI drives new debate around CISA software patching deadlines<\/a><\/p>\n

https:\/\/federalnewsnetwork.com\/cybersecurity\/2026\/05\/ai-drives-new-debate-around-cisa-software-patching-deadlines\/<\/a><\/p>\n

Publish Date: 2026-05-14 18:38:00<\/a><\/p>\n

Source Domain: federalnewsnetwork.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n

Growing concerns about artificial intelligence-driven cyber attacks are driving new debates around how quickly organizations should patch software vulnerabilities, including whether federal agencies should be required to meet patch deadlines in days rather than weeks.
\nCyber experts say faster patching will be needed in many cases, especially considering recent advancements in AI. But many also say shortening deadlines is unlikely, by itself, to drive speedier remediation and could have the reverse effect in some cases.
\nIn response to Anthropic\u2019s Claude Mythos preview, Trump administration leaders have reportedly considered cutting the standard deadline for agencies to patch Common Vulnerabilities and Exposures (CVEs) that are posted to the Cybersecurity and Infrastructure Security Agency\u2019s Known Exploited Vulnerabilities (KEV) catalog.
\nReuters reported that CISA and Office of the National Cyber Director leaders have discussed cutting the standard KEV deadline to three days, instead of two to three weeks.]]><\/p>\n

CISA didn\u2019t respond to a request for comment on deliberations surrounding KEV catalog deadlines. But all four entries CISA has made to the KEV catalog from May 6 through May 14 have had a three-day deadline.
\nAny acceleration of patching deadlines will likely be a challenge for many federal agencies. Hemant Baidwan, former chief information security officer at the Department of Homeland Security, said shifting to a three-day deadline \u201cis not going to be an easy thing,\u201d but added \u201cit does need to happen.\u201d
\n\u201cI don\u2019t think we have the luxury to wait and follow legacy remediation cycles, to wait for 30 days, 60 days, 120 days to really go after mitigating a security weakness,\u201d Baidwan, who is now executive CISO at security firm Knox Systems, told Federal News Network.
\nThe urgency has been driven by the Claude Mythos preview. But Rob Joyce, former cybersecurity director at the National Security Agency, said \u201ceven before Mythos, the risk environment changed dramatically\u201d due to large language models.
\nDuring a webinar hosted by Secureframe this week, Joyce said AI systems are finding software vulnerabilities \u201cat industrial scale.\u201d
\n\u201cWe\u2019re not finding bugs faster because we have more humans on the problem,\u201d Joyce said. \u201cWe\u2019re finding them faster because the discovery loop is now mostly machine.\u201d
\nHe recommended organizations quickly upgrade legacy technologies, which AI has proven adept at exploiting, while understanding that \u201cknown vulnerabilities will be exploited.\u201d]]><\/p>\n

\u201cFigure out how to patch faster, decommission those end-of-life systems,\u201d Joyce said. \u201cThe CISA KEV catalog telling you what is being exploited is a big red flashing light that stuff\u2019s coming for you.\u201d
\nKEV timelines accelerate
\nEven prior to last month\u2019s Mythos revelations, CISA had already been shortening deadlines for agencies to patch vulnerabilities posted to the KEV.
\nSo far in 2026, the average deadline for a vulnerability posted to the KEV catalog is 14.4 days. Last year, the average was 19.7 days, while in 2024, patch deadlines were more than 20 days, on average.<\/p>\n

CISA created the KEV catalog in 2021 to provide a repeatable mechanism for federal agencies to patch dangerous software bugs, rather than solely relying on one-off emergency directives.
\nThe initial goal was to have two weeks or shorter be the standard deadline. But officials quickly realized that many agencies weren\u2019t hitting those deadlines and instead blowing past them by weeks or even months, according to Tod Beardsley, who served as section chief for the vulnerability response section at CISA and now works as vice president of research at security firm runZero.
\n\u201cParadoxically, when you have a shorter deadline, your time to patch goes up,\u201d Beardsley said.
\n\u201cWhen you set the metric to, you\u2019re good if you\u2019re before the deadline, and bad if you\u2019re after the deadline, you can\u2019t fail any harder once you\u2019ve passed through the deadline,\u201d Beardsley added.
\nBetween 2022 and 2025, CISA set the deadlines for patching most CVEs at three weeks. Beardsley said during his time at CISA, officials realized that two to three weeks was a \u201csweet spot\u201d for most agencies.
\nSince March of this year, however, CISA has begun setting most KEV deadlines at 14 days. And out of the 61 vulnerabilities in the history of the catalog with a patch deadline of seven days or less, 25 have of them have come this year.]]><\/p>\n

\u201cIt has not gone unnoticed that the timelines have been already compressed,\u201d Beardsley said.
\nA federal chief information officer, granted anonymity because they were not authorized to speak publicly, acknowledged that patching timelines \u201chave to get as close to immediate as possible.\u201d Agencies need to \u201caccelerate both prioritizing and remediating system vulnerabilities,\u201d including through increased use of automation.
\nBut the CIO said it\u2019s important for agencies to prioritize issues that are truly exploitable within their specific IT environments.
\n\u201cI\u2019m OK with a faster timeline, but also recognize that just because there is a CVE, it doesn\u2019t mean it impacts us,\u201d the CIO said. \u201cIt also doesn\u2019t mean there is a solution that can be implemented quickly. I think that adding overhead reporting and data calls are actually worse than the changed timelines. If we keep in mind the people that actually do the work rather than write words, there shouldn\u2019t be any issues.\u201d
\nBaidwan said prioritization is crucial, especially in an area where AI is already increasing the volume of software vulnerabilities.
\n\u201cThe more quickly you can do that, the more quickly you can say, \u2018Well, CISA, I can\u2019t remediate this in three days, but I\u2019ve already implemented this mitigation that makes it more challenging an adversary to exploit,\u2019\u201d he said. \u201cAnd in the meantime, I\u2019ve already prioritized my resources in remediating the ones where we are truly vulnerable and could be exploited today.\u201d
\nBeardsley said agencies that do well with patch management tend to know what\u2019s in their environment and build playbooks around updating and maintaining software, especially \u201cweird software\u201d that some agencies rely upon.
\nHe also CISA could also advance new strategies and expertise around software lifecycle management.
\n\u201cCISA is in a very unique position in that they have 102 agencies that they are advising and occasionally giving directives to,\u201d Beardsley said. \u201cZeroing in one or two of them, and finding out, where it works and where it doesn\u2019t \u2026 You can do it confidentially and produce a report saying, \u2018This is what we see that works. Here\u2019s what doesn\u2019t. Here are the kinds of tech habits we see in the successful agencies.\u2019\u201d
\n Copyright
\n \u00a9\u00a02026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

AI drives new debate around CISA software patching deadlines https:\/\/federalnewsnetwork.com\/cybersecurity\/2026\/05\/ai-drives-new-debate-around-cisa-software-patching-deadlines\/ Publish Date: 2026-05-14 18:38:00 Source…<\/p>\n","protected":false},"author":1,"featured_media":214103,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/federalnewsnetwork.com\/wp-content\/uploads\/2025\/01\/GettyImages-2181727430-e1736959045689.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,20,24,31,27],"class_list":["post-214100","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-artificial-intelligence","tag-cybersecurity","tag-exploit","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/214100"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=214100"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/214100\/revisions"}],"predecessor-version":[{"id":214104,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/214100\/revisions\/214104"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/214103"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=214100"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=214100"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=214100"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}