- CISA retired ten Emergency Directives, citing successful implementation or redundancy under BOD 22-01
- BOD 22-01 mandates agencies patch known exploited vulnerabilities (KEVs) within strict deadlines
- This marks the largest simultaneous ED retirement, reinforcing CISA’s Secure by Design principles
The US Cybersecurity and Infrastructure Security Agency (CISA) has officially retired ten Emergency Directives (ED) issued between 2019 and 2024, stating that they have fulfilled their purpose and are no longer necessary.
In a brief announcement on its website, CISA explained that these directives have either been successfully implemented or are now covered under Binding Operational Directive (BOD) 22-01, rendering them redundant.
“When the threat landscape demands it, CISA mandates swift, decisive action by Federal Civilian Executive Branch (FCEB) agencies and continues to issue directives as needed to drive timely cyber risk reduction across federal enterprise,” stated CISA Acting Director Madhu Gottumukkala.
Secure by Design Principles
BOD 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities is a mandatory federal cybersecurity directive first issued on November 3, 2021. It requires Federal Civilian Executive Branch Agencies (FCEB) to concentrate their vulnerability management efforts on a curated list of known exploited vulnerabilities (KEVs) that pose significant risks. This directive establishes a CISA-managed catalog of these actively exploited flaws and sets strict deadlines for remediation, compelling agencies to patch or mitigate them within specified timeframes.
This binding directive has thus led to the retirement of the following Emergency Directives:
ED 19-01: Mitigate DNS Infrastructure Tampering
ED 20-02: Mitigate Windows Vulnerabilities from January 2020 Patch Tuesday
ED 20-03: Mitigate Windows DNS Server Vulnerability from July 2020 Patch Tuesday
ED 20-04: Mitigate Netlogon Elevation of Privilege Vulnerability from August 2020 Patch Tuesday
ED 21-01: Mitigate SolarWinds Orion Code Compromise
ED 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities
ED 21-03: Mitigate Pulse Connect Secure Product Vulnerabilities
ED 21-04: Mitigate Windows Print Spooler Service Vulnerability
ED 22-03: Mitigate VMware Vulnerabilities
ED 24-02: Mitigating the Significant Risk from Nation-State Compromise of Microsoft Corporate Email System
CISA also noted that this is the highest number of EDs retired simultaneously.
“The closure of these ten Emergency Directives reflects CISA’s commitment to operational collaboration across the federal enterprise. Looking ahead, CISA continues to advance Secure by Design principles – prioritizing transparency, configurability, and interoperability – so every organization can better defend their diverse environments,” Gottumukkala explained.
Via BleepingComputer
