In response to the growing threats posed by artificial intelligence, the United States Cybersecurity and Infrastructure Security Agency (CISA) issued a new directive on June 10, 2026, aimed at enhancing the cybersecurity posture of federal civilian agencies. This directive, known as a binding operational directive (BOD), establishes a framework for the urgency of software patching based on four key assessments. The most critical vulnerabilities must be addressed within three days, reflecting the rapid pace at which malicious actors can exploit these weaknesses, especially with the aid of advanced AI technologies. Chris Butera, CISA's acting executive assistant director for cybersecurity, emphasized the importance of prioritizing vulnerabilities that pose the greatest risk to federal assets. The directive outlines criteria for evaluating the urgency of vulnerabilities, including whether they are publicly exposed, listed in CISA's Known Exploited Vulnerabilities Catalog, and if they can be exploited through automated means. This structured approach aims to ensure that agencies can effectively allocate resources to address the most pressing security issues while allowing for more time to remediate less critical bugs. The urgency of this directive is underscored by the increasing capabilities of AI in vulnerability detection and exploitation. As threat actors leverage these advancements, the potential for widespread exploitation of vulnerabilities has escalated, prompting CISA to take decisive action. The new directive supersedes previous orders from 2019 and 2021, which required critical vulnerabilities to be patched within 15 days and high-urgency vulnerabilities within 30 days. The shift to a three-day timeline for the most urgent cases reflects the evolving landscape of cybersecurity threats. Despite improvements in federal cybersecurity over the past decade, challenges remain due to funding limitations and competing priorities. Butera acknowledged that while the three-day deadline is a significant step forward, it is not an unrealistic expectation for most agencies. However, experts like Emily Long, CEO of the cloud security firm Edera, argue that patching alone is insufficient. They advocate for a more comprehensive approach that includes architectural changes to limit the potential impact of breaches. CISA's directive is seen as an initial step in addressing the challenges posed by emerging AI capabilities, but further work is needed to enhance the overall security framework.