Chris Butera, CISA’s acting executive assistant director for cybersecurity, told reporters Wednesday that the goal of the directive is to help agencies prioritize so they can address the most problematic vulnerabilities first, while taking more time to fix bugs that pose less pressing risks. The directive comes as private companies and governments struggle to assess the extent of cybersecurity vulnerabilities that AI vulnerabilities and development capabilities could exploit.
“Prioritizing IT and security operations to focus on the assets most at risk is especially important now given advances in artificial intelligence, which allow threat actors to find and exploit vulnerabilities. [federal] Property,” Butera said Wednesday. “Defenders cannot spend weeks patching systems that could be exploited en masse autonomously.”
The CISA directive’s criteria for evaluating patch urgency include looking at whether a vulnerability is in a system that has been publicly exposed, whether the bug is listed on CISA’s list of known exploited vulnerabilities, whether an attacker could automate all the steps to exploit the vulnerability, and how much access the attacker would have to the target if the bug were exploited. According to the new directive, a vulnerability where all four points apply must be patched within three days, and the agency must also execute a “forensic triage” process to determine if the system has already been compromised.
The directive immediately supersedes two previous CISA orders related to patching timelines for vulnerabilities – one from 2019 and one from 2021. They established a framework in which the most critical bugs had to be patched within 15 days of detection and another class of high-urgency vulnerabilities had to be fixed within 30 days. And both encouraged rapid patching of serious flaws when possible. Even before the AI era, in 2021, CISA wrote that “threat actors are extremely quick to exploit vulnerabilities of their choice: 4% of known exploited [vulnerabilities]42% are in use on day 0 of disclosure; 50% within 2 days; And 75% within 28 days.”
US federal cybersecurity has improved significantly over the past decade, but it still often lags behind due to lack of funding and competing priorities. CISA’s Butera said the agency developed new evaluation rubrics and instructions more comprehensively with these limitations in mind. For example, the three-day time limit for the most urgent vulnerabilities is not, say, 24 hours, he said, because such a short time frame would not be feasible for most agencies.
New AI capabilities are already changing the landscape of vulnerability detection and bug hunting. And as this fuels new urgency in patching, many researchers have inevitably begun to conclude that no amount of patching will be enough – and that the software development community globally must work to adopt new, architectural or systemic approaches to invalidating entire classes of vulnerabilities at a time.
“The CISA directive is in the right place, but it only tackles half the challenge,” says Emily Long, CEO of cloud security firm Adera. “If your architecture doesn’t limit what an attacker can access after a breach, you’re just running faster on the same treadmill. Patching will always be important, but we should be talking more about prevention by design.”
CISA’s Butera acknowledged the development on Wednesday. “The new directive is an initial step towards countering the growing capabilities of emerging AI models,” he says. “Still, there is still more work to do.”
<a href