CISA sets a 3-day patch deadline for the most dangerous exploited flaws.
The U.S. Cybersecurity and Infrastructure Security Agency introduced Binding Operational Directive 26-04, requiring federal civilian agencies to fix some high-risk vulnerabilities within 72 hours. The rule applies when flaws are internet-exposed, already exploited, automatable, and capable of giving attackers control over systems. CISA says the change is tied to the faster pace of exploitation in the AI era. The directive also tells agencies to check whether systems were already compromised, because patching alone does not remove an attacker.