From two weeks to three days: The KEV deadline debate

Drawing on his experience from his time in government working directly on CISA’s Known Exploited Vulnerabilities (KEV) catalog, Todd Beardsley, VP of Security Research at runZero, explains what it actually took behind the scenes to get a vulnerability added: verifying that real exploitation occurred, confirming the incident mattered to federal interests (including state/local governments, critical infrastructure, or allied nations), and ensuring there was a concrete remediation option before publishing. He walks Greg through how those judgments tied back to Binding Operational Directive 22-01 and how deadlines were set and adjusted from the two-week baseline—context that frames the recent trend toward three-day turnaround requirements. From that insider perspective, Beardsley outlines the practical risks of compressing timelines (especially around testing and change-control realities across 100+ civilian agencies) and why ultra-short deadlines can dilute KEV’s value as an “urgency signal,” even as they may push agencies to modernize staffing, automation, and patch processes to respond faster.