The new directive gives federal agencies three days to fix the most dangerous flaws, while less severe issues can be deferred.