U.S. cybersecurity officials are considering sharply shorter deadlines for fixing critical flaws in government IT systems, amid concerns hackers could exploit them using artificial‑intelligence tools such as Anthropic’s Mythos, sources said. The move would slash the deadline for responding to actively exploited vulnerabilities from two weeks to three days.
Anxiety over AI models like Mythos and OpenAI's GPT‑5.4‑Cyber has been building. These newer models can identify previously unknown vulnerabilities or seize on freshly disclosed ones to enable complex hacking operations, compressing the exploitation timeframe from months or weeks to just hours.
That in turn is pressuring defenders to accelerate. Stephen Boyer, founder of cybersecurity firm Bitsight, said: "If you're going to protect civil agencies, you're going to have to move faster. We don't have as much of a window as we used to have."
The proposals are being discussed by Nick Andersen, acting chief of CISA, and Sean Cairncross, U.S. national cyber director. CISA has for years curated a catalog of known-and-exploited vulnerabilities (KEVs) and typically gives civilian agencies a two-week deadline to fix flaws. The new proposals would default to just three days.
Nitin Natarajan, former deputy director of CISA, said tightening deadlines will likely serve as a model for state and local governments and businesses: "This is a signal to others that says, 'Hey you need to do this more quickly.'" However, he warned that CISA, depleted by deep job cuts and government shutdowns under President Trump, needs the capacity to handle tighter deadlines.
Kecia Hoyt of threat intelligence firm Flashpoint cautioned that patching can involve complex tests: "Realistically, three days is simply impossible for some environments." John Hammond of Huntress said dropping from two weeks to three days is "quite a change," adding that "only time will tell how well the industry keeps up."