The Cybersecurity and Infrastructure Security Agency this week released a new framework for federal civilian agencies in determining how quickly to patch software vulnerabilities, noting that artificial intelligence is “vastly increasing” the pace at which such vulnerabilities are discovered.
The binding operational directive establishes guidelines for patch prioritization based on factors such as public exposure and the ability for an attacker to gain full control of a system. The highest-risk vulnerabilities would be required to be patched in as little as three days, although CISA said an initial analysis of one agency’s systems determined that only 1% of vulnerabilities would be included in this category. Most patches could be deferred to the next system upgrade.
The directive is part of CISA’s response to President Trump’s executive order directing federal agencies to take steps to counter the potential cybersecurity threats posed by AI. CISA said the framework is needed in the current cybersecurity landscape, where AI software services can assist threat actors in finding and exploiting vulnerabilities.
“Applying a patch generally does not evict a threat actor,” CISA said. “Therefore, judiciously checking for existing compromise is vital to manage risk.”
