The U.S. Cybersecurity and Infrastructure Security Agency has issued new guidance requiring federal agencies to address the most serious vulnerabilities within as little as 3 days.

On June 11 local time, online media outlet GigaZine reported that the U.S. government has shifted vulnerability management from a uniform response model to a risk-prioritised approach to counter the spread of cyberattacks using artificial intelligence (AI).

The core of the guidance is to stop treating all vulnerabilities at the same speed and instead block first those with a high likelihood of real-world exploitation and a large potential damage scope. Vulnerabilities classified in the highest-risk group must be patched or disabled within 3 days, and if needed agencies must also isolate them from the internet.

CISA considers 4 factors under the new standard: whether the asset is externally exposed; whether the vulnerability is included in the existing Known Exploited Vulnerabilities Catalog; whether attackers can automate the exploitation process; and whether an attack could seize control of part or all of the asset. Response deadlines vary depending on which criteria are met.

The background is a change in the speed of AI-enabled attacks. Attackers can now find and exploit unpatched vulnerabilities more quickly, while defenders lack the resources to immediately address the flood of vulnerabilities. The U.S. government is therefore developing its previous approach, which centred on the Common Vulnerability Scoring System (CVSS) and known-vulnerability lists, toward a structure that handles higher real-world risks first.

CISA said vulnerabilities that must be handled within 3 days account for only 1 percent of the total. It judged that for the remaining majority it may not be a problem even if response is delayed, meaning prioritisation can have practical effects. This direction also aligns with agencies' current patching reality. Verizon's 2026 Data Breach Investigations Report showed that among vulnerabilities listed in the CISA catalog, only 26 percent were fully fixed in 2025, and the median time to full resolution was 43 days.

Each federal agency must revise its vulnerability management policies to match the guidance. They must not only move up patch schedules, but also establish a new process that reflects risk assessment and remediation priorities in internal procedures.

Chris Butera (크리스 부테라), acting executive assistant director for cybersecurity at CISA, said agencies must be able to secure time to apply patches faster for the most urgent vulnerabilities. He also stressed that lower-risk vulnerabilities can be handled through more regular patch cycles.

The guidance applies to federal agencies, but it is also read as a signal that vulnerability management itself is changing. In particular, as attack automation becomes easier and intrusion attempts targeting exposed assets accelerate, a system that differentiates response speed based on actual exploitation risk rather than the number of vulnerabilities is becoming more important. As a result, U.S. government security operations are expected to be reorganised from a severity-score focus toward an approach that also considers attack likelihood and the scale of potential damage.