{"id":229650,"date":"2026-06-10T18:48:00","date_gmt":"2026-06-10T22:48:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/10\/ai-directive-focuses-patching-efforts-on-highest-risk-vulnerabilities\/"},"modified":"2026-06-10T18:50:35","modified_gmt":"2026-06-10T22:50:35","slug":"ai-directive-focuses-patching-efforts-on-highest-risk-vulnerabilities","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/10\/ai-directive-focuses-patching-efforts-on-highest-risk-vulnerabilities\/","title":{"rendered":"AI directive focuses patching efforts on \u2018highest risk\u2019 vulnerabilities"},"content":{"rendered":"<p><a href=\"https:\/\/federalnewsnetwork.com\/cybersecurity\/2026\/06\/ai-directive-focuses-patching-efforts-on-highest-risk-vulnerabilities\/\">AI directive focuses patching efforts on \u2018highest risk\u2019 vulnerabilities<\/a><\/p>\n<p><a href=\"https:\/\/federalnewsnetwork.com\/cybersecurity\/2026\/06\/ai-directive-focuses-patching-efforts-on-highest-risk-vulnerabilities\/\">https:\/\/federalnewsnetwork.com\/cybersecurity\/2026\/06\/ai-directive-focuses-patching-efforts-on-highest-risk-vulnerabilities\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-06-10 18:48:00<\/a><\/p>\n<p>Source Domain: <a href=\"federalnewsnetwork.com\">federalnewsnetwork.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n<p>                    Federal agencies are now required to adopt a more tailored approach to patching the highest risk cyber vulnerabilities in their networks, under a new directive that accounts for recent advancements in artificial intelligence-driven cyber exploits.<br \/>\nIn a binding operational directive released Wednesday, the Cybersecurity and Infrastructure Security Agency laid out how agencies should prioritize high-risk vulnerabilities for more immediate action, while deferring lower-risk vulnerabilities.<br \/>\nThe directive is largely driven by advancements in new AI models that could allow hackers to more quickly identify new software vulnerabilities and exploit existing vulnerabilities before they can be patched or mitigated.<br \/>\nCISA officials had previewed how the BOD would be one of the first outputs under an AI security executive order signed by President Donald Trump last week.]]><\/p>\n<p>Chris Butera, acting executive assistant director for cybersecurity at CISA, said the new approach should allow agencies to patch \u201csmarter, not harder.\u201d<br \/>\n\u201cWe really believe we should be able to free up some time to patch the most urgent vulnerabilities faster, while allowing for more regular patch cycles for some of the lower-risk vulnerabilities,\u201d Butera said. \u201cWe are hopeful that this binding operational directive will not require additional work for the agencies, but rather allow them to better prioritize the patching.\u201d<br \/>\nThe framework will drive more aggressive patching cycles in the most critical cases.<br \/>\nCISA\u2019s directive lays out four primary risk factors: Whether the vulnerable software is connected to the internet; whether it\u2019s identified in CISA\u2019s Known Exploited Vulnerabilities (KEV) catalog; whether it\u2019s capable of being exploited by automated means; and whether it would give an adversary partial or total control of the technology after exploitation of the vulnerability.<br \/>\nFor vulnerabilities that meet at least three of the new criteria, the patching deadline will be three days. Historically, federal patching deadlines have averaged between two and three weeks.<br \/>\nButera said CISA analyzed vulnerabilities at one civilian agency, which he did not identify, and found that 1% of their vulnerabilities would require patching within three days, while more than 60% could be deferred to the next system update.<br \/>\nHe also noted that agencies have 180 days to begin implementing the new processes.]]><\/p>\n<p>\u201cWe do believe that agencies should be able to meet the three-day deadline,\u201d Butera said. \u201cThat is why we didn\u2019t choose, for example, a 24-hour deadline, because we think three days as a deadline is both fast and the agencies will be able to meet it.\u201d<br \/>\nIn a LinkedIn post, Tod Beardsley, CISA\u2019s former KEV section chief, noted the BOD creates clarity around when a vulnerability is severe enough to warrant an accelerated patching deadline.<br \/>\n\u201cHigh severity or low severity, it was always a little mysterious when a KEV had an unusual remediation deadline for federal agencies, like one day or seven days,\u201d he wrote. \u201cNow we know: the deadline shall hinge on if the target is publicly accessible, as well as the attacker value of the bug at hand.\u201d<br \/>\nBut Beardsley added the more aggressive patching deadlines may be difficult for many federal agencies, even if it\u2019s needed in the agency of autonomous AI agents.<br \/>\n\u201cI remain dubious that a three-day deadline spread across more than a hundred agencies is an achievable patch cadence today, but we\u2019ll all find out together,\u201d Beardsley wrote.<br \/>\nMeanwhile, while CISA\u2019s directive is only a requirement for federal agencies, officials hope it will help new vulnerability management practices more broadly.<br \/>\n\u201cWhile this directive is a mandate for federal agencies, CISA strongly encourages all partners, including critical infrastructure owners and operators, and state, local, tribal, and territorial governments, to adopt similar actions in their vulnerability management programs,\u201d Butera said.<br \/>\nNew critical infrastructure legislation<br \/>\nAlso on Wednesday, Sen. Mark Warner (D-Va.) introduced a bill requiring CISA to lead updates to the 16 sector risk management plans, in conjunction with other agencies that oversee critical infrastructure. The updates would be due within nine months of enactment. It would also require those plans to be updated every two years going forward.<br \/>\nNews of the legislation was first reported by NextGov.]]><\/p>\n<p>In a statement, Warner\u2019s office highlighted how some sector plans haven\u2019t been updated in a decade.<br \/>\n\u201cAs AI continues to rapidly evolve, we must ensure our cybersecurity defenses keep up with the threats of the moment,\u201d Warner said. \u201cIt\u2019s critical that government works closely with industry, regulators, and cybersecurity experts to develop and regularly update the plans we need to protect our critical infrastructure from increasingly sophisticated malicious actors, including those enabled by AI.\u201d<br \/>\n                    Copyright<br \/>\n                            \u00a9\u00a02026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>AI directive focuses patching efforts on \u2018highest risk\u2019 vulnerabilities https:\/\/federalnewsnetwork.com\/cybersecurity\/2026\/06\/ai-directive-focuses-patching-efforts-on-highest-risk-vulnerabilities\/ Publish Date: 2026-06-10 18:48:00 Source&#8230;<\/p>\n","protected":false},"author":1,"featured_media":229651,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/federalnewsnetwork.com\/wp-content\/uploads\/2025\/01\/GettyImages-1197780051-scaled.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,20,24,31,27],"class_list":["post-229650","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-artificial-intelligence","tag-cybersecurity","tag-exploit","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/229650"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=229650"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/229650\/revisions"}],"predecessor-version":[{"id":229652,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/229650\/revisions\/229652"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/229651"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=229650"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=229650"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=229650"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}