Policy would require agencies to patch cybersecurity holes within 72 hours of discovery