Here is a number that should ruin your weekend: three days. That is the new proposed deadline for US government agencies to patch critical software vulnerabilities, down from the current average of two to three weeks. Reuters reported Thursday that Nick Andersen, acting chief of CISA, and Sean Cairncross, the national cyber director, are actively discussing the change.

The reason they want to move this fast is because the attackers already do.

What Compressed the Timeline

The short answer: AI. Specifically, models like Anthropic's Mythos and OpenAI's GPT-5.4-Cyber. Reuters cites sources saying these newer models can identify previously unknown vulnerabilities or seize on freshly disclosed ones to enable complex hacking operations. What used to take months, weeks, or days has been compressed to hours in some cases.

"If you're going to protect civil agencies, you're going to have to move faster," said Stephen Boyer, founder of cybersecurity firm Bitsight, which has helped CISA catalogue vulnerabilities. "We don't have as much of a window as we used to have."

The specifics are chilling. Anthropic's own red team has documented Mythos producing 181 working Firefox exploits in benchmark testing and achieving full control-flow hijack on ten fully patched targets. Non-experts at Anthropic could request exploit searches overnight and wake up to working results. That is the capability that CISA is now racing to defend against.

CISA Is Being Asked to Sprint While Its Legs Are Being Cut

There is a painful irony here. CISA, the agency being asked to enforce tighter deadlines, has been depleted by deep job cuts and buffeted by government shutdowns under the Trump administration. Nitin Natarajan, who served as CISA's deputy director under Biden and now runs the consultancy NN Global, put it bluntly: "We've seen a reduction in their resources, both in funding and expertise."

Natarajan supports the faster deadlines but warns they mean nothing if CISA does not have the capacity to handle the strain. So the plan is: give agencies less time to patch, using an agency with fewer people and less money to enforce it, against threats moving at machine speed. Great.

The Practical Problem

Kecia Hoyt, a VP at threat intelligence firm Flashpoint, flagged the obvious: "Realistically, three days is simply impossible for some environments." Patching government IT systems is not like updating your iPhone. It involves compatibility testing, staged rollouts, validation against mission-critical applications. Some of these systems run defense logistics, healthcare records, critical infrastructure control. You cannot just push a patch and pray.

John Hammond, senior principal security researcher at Maryland-based Huntress, called it "quite a change" and said he is "cautiously optimistic" but that "only time will tell how well the industry keeps up."

The Bigger Picture

This is the first concrete government response to the fact that AI has fundamentally changed the attacker-defender asymmetry in cybersecurity. CISA's Known Exploited Vulnerabilities catalogue has been the reference point for federal patch management for years. If the default drops to three days, Natarajan says it will serve as a model for state and local governments, businesses, and every other organization that takes its cues from federal standards. The downstream effect on the private sector is massive.

Pair this with our coverage of Anthropic's Mythos restrictions (the White House blocked expansion to 120 organizations), the Pentagon's classified AI contracts, and Claude Security launching public beta for Enterprise customers last week. The cybersecurity AI arms race is not theoretical. It is happening in CISA conference rooms right now, and the people defending government systems are about to be told to move seven times faster with fewer resources.

Reuters could not establish whether a final decision has been made or when one is expected. CISA and the Office of the National Cyber Director did not comment.

First reported by Reuters.