How Long Should It Take to Remediate a Critical CVE?
Critical CVEs should be remediated within 15 days, according to CISA's Binding Operational Directive 22-01. For actively exploited vulnerabilities in the CISA KEV catalog, federal agencies must remediate within 2 weeks. Private organizations should aim for similar or faster timelines for internet-facing systems.
Remediation Timeline Benchmarks
| Severity | CISA Requirement | Best Practice | Minimum Acceptable |
|---|---|---|---|
| Critical (CVSS 9.0-10.0) | 15 days (if in KEV) | 7-15 days | 30 days |
| High (CVSS 7.0-8.9) | 15 days (if in KEV) | 30 days | 60 days |
| Medium (CVSS 4.0-6.9) | N/A | 60-90 days | 90 days |
| Low (CVSS 0.1-3.9) | N/A | 90-180 days | 180 days |
CISA requirements apply to federal agencies for KEV vulnerabilities. Private organizations should use industry best practices as targets.
Factors That Affect Your Timeline
Exploit Availability
If a public exploit exists (especially in CISA KEV), remediation becomes urgent. Exploit probability (EPSS) should influence your timeline even for high CVSS scores without known exploits.
Asset Exposure
Internet-facing systems need faster remediation than internal systems. A critical CVE on your public API is more urgent than the same CVE on an internal development server.
Compensating Controls
If you can't patch immediately, compensating controls (WAF rules, network segmentation, access restrictions) can buy time while you plan remediation.
Business Impact
Systems processing sensitive data or critical to operations warrant faster remediation. A vulnerability in your payment system is more urgent than one in your marketing site.
Common Questions
What is CISA KEV and why does it matter?
CISA KEV (Known Exploited Vulnerabilities) is a catalog maintained by CISA listing CVEs that are actively being exploited in the wild. Federal agencies are required to remediate KEV vulnerabilities within the specified timeframe (typically 2-3 weeks). Private organizations should treat KEV inclusion as a signal that the vulnerability is being actively exploited and prioritize accordingly.
What if we can't meet the recommended timeline?
If patching isn't possible within the recommended timeline, document compensating controls, get formal risk acceptance from appropriate leadership, and establish a remediation plan with a realistic deadline. Some organizations create exception processes for vulnerabilities that can't be immediately remediated due to system dependencies or change windows.
How do compliance frameworks define remediation timelines?
PCI DSS requires addressing high-risk vulnerabilities within 30 days of identification. HIPAA doesn't specify exact timelines but expects 'reasonable' remediation. SOC 2 auditors look for documented SLAs and evidence of adherence. FedRAMP has specific timelines: 30 days for high, 90 days for moderate, 180 days for low.
Need Help Meeting Remediation SLAs?
We help organizations establish and meet realistic vulnerability remediation timelines.