COMMENTARY: The federal government's latest guidance on critical infrastructure resilience includes a provision that has been generating significant discussion across the security community.It’s a mandate requiring agencies to patch critical vulnerabilities within 72 hours. The intent makes sense. It’s the execution as written that’s operationally disconnected from the reality of how government IT environments actually work.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]That disconnect matters. It’s not because we don’t think it’s important to patch. It matters because treating patch speed as the primary lever for national infrastructure security fundamentally misunderstands where the real problem lies.The 72-hour issueAt face value, a blanket 3-day patching mandate for complex government IT environments ignores the fact that government infrastructure consists of a massive web of legacy systems, bespoke applications, and critical services that require rigorous regression testing before any code changes are introduced.Implementing a 72-hour turnaround doesn’t accelerate the patching process. It forces IT teams to make tough choices, most notably, between system stability and compliance. And what happens when patches are rushed without proper testing? Catastrophic outages and cascading failures, which are precisely the type of outcome adversaries are hoping to trigger.The reality: we cannot mandate speed in a vacuum without breaking the very infrastructure we are trying to protect.CISA's Known Exploited Vulnerabilities (KEV) catalog has done valuable work. It’s pushed agencies to patch specific, actively-exploited flaws within 14 to 21 days. That model works because it is prioritized and deliberate. But compressing this down to 72 hours turns every high-CVSS alert into a drop-everything emergency, shifting the burden from a prioritized, urgent project to a continuous state of crisis management. IT and security teams are already facing severe burnout. By collapsing the National Vulnerability Database (NVD) pipeline, organizations will experience growing alert fatigue, higher turnover, and the mistakes that adversaries are counting on.The automation gapMany teams may naturally call on an automation to solve this challenge, but today’s tools are insufficient, especially at this scale. Fully automating the deployment of critical patches across a sprawling, heterogeneous government network without human oversight and extensive testing is a recipe for disaster. The automation required to safely test, validate, and deploy fixes within 72 hours without breaking dependencies does not exist at that scale. But the fact that we cannot automate safe patching at this speed does not mean automation has no role. It means focusing automation on the right problem. Rather than trying to automate the impossible task of flawless, instant patching, we must automate disrupting the exploit itself. Through preemptive defense approaches that morph the application memory space, organizations can render a vulnerability unexploitable before a patch ever exists. That’s the only form of automation that works at machine speed without risking system downtime.AI has already made 72 hours obsoleteThe emergence of AI-driven vulnerability discovery makes the timeline debate even more urgent while also exposing the inadequacy of the 72-hour mandate.AI flaw-hunting models and autonomous agents are accelerating the discovery and weaponization of zero-days to machine speed. If an adversary uses an AI agent to discover a flaw, generate an exploit, and launch an attack within hours, a 3-day government mandate makes it already 70 hours too late. We have entered the era where human-speed patching cannot compete with machine-speed attacks. Today, we need deterministic, machine-speed prevention that stops unauthorized execution before it starts, regardless of whether a patch exists.It’s simple and brutal math: we now measure the time between vulnerability disclosure and active exploitation in minutes. A 72-hour window does not represent a fast response. It’s a slow one dressed up as urgency.Unfortunately, mandates like this one reinforce a reactive, whack-a-mole security culture that’s mathematically guaranteed to lose over time. Threat actors love the patching race because they know they have a structural head start. Every mandate that treats patch speed as the primary defense metric plays into that advantage.Federal agencies must pivot toward preemptive cyber defense that proactively hides the attack surface so that even when a vulnerability exists, attackers can’t exploit it. That’s because when we morph the environment an attacker tries to navigate, the underlying vulnerability becomes irrelevant to their ability to cause harm.While well-intentioned, patching faster within 72 hours does not necessarily make us more secure. We need to stop measuring success by how quickly we can apply a bandage and start measuring it by whether we can prevent the wound in the first place.Preemptive defense is not just a supplement to patch management. For the threat environment we are now operating in, it’s the foundation that makes everything else possible.Brad LaPorte, chief marketing officer, MorphisecSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Patch/Configuration Management
Why CISA’s 3-day patching mandate misses the point
(Adobe Stock)
Brad LaPorte
Brad LaPorte is the Chief Marketing Officer at Morphisec.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds