The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a new federal mandate requiring agencies to adopt a risk-based approach to patching software vulnerabilities, with the most critical flaws now requiring remediation within three days.