CISA is reported to be evaluating whether to shorten the remediation deadlines in Binding Operational Directive 22-01, which currently governs how quickly federal civilian agencies must patch known exploited vulnerabilities. The evaluation is driven by concern that AI-assisted threat actors can develop and deploy exploits faster than existing deadline windows allow agencies to respond. As of March 4, 2026, no official CISA publication confirming a formal evaluation or proposed timeline change has been located; this item is based on policy reporting and signals. Organizations should treat this as a planning signal, not a confirmed directive change. Federal agencies and their contractors should monitor for updated CISA guidance and assess whether current patching velocity would meet tighter requirements.