The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has retired 10 Emergency Directives issued between 2019 and 2024, saying that the required actions have been accomplished or at the moment are lined by Binding Operational Directive 22-01.
CISA mentioned that is the biggest variety of Emergency Directives it has closed at one time.
“By statute, CISA points Emergency Directives to quickly mitigate rising threats and to reduce the influence by limiting directives to the shortest time attainable,” explains CISA.
“Following a complete evaluation of all lively directives, CISA decided that required actions have been efficiently applied or at the moment are encompassed by Binding Operational Directive (BOD) 22-01, Decreasing the Important Danger of Recognized Exploited Vulnerabilities. “
Binding Operational Directive 22-01 makes use of the company’s Recognized Exploited Vulnerabilities (KEV) catalog to alert federal civilian companies of actively exploited flaws and when methods should be patched towards them.
Emergency Directives are supposed to tackle pressing dangers and stay in place solely so long as wanted.
The entire checklist of Emergency Directives closed in the present day is:
- ED 19-01: Mitigate DNS Infrastructure Tampering
- ED 20-02: Mitigate Home windows Vulnerabilities from January 2020 Patch Tuesday
- ED 20-03: Mitigate Home windows DNS Server Vulnerability from July 2020 Patch Tuesday
- ED 20-04: Mitigate Netlogon Elevation of Privilege Vulnerability from August 2020 Patch Tuesday
- ED 21-01: Mitigate SolarWinds Orion Code Compromise
- ED 21-02: Mitigate Microsoft Alternate On-Premises Product Vulnerabilities
- ED 21-03: Mitigate Pulse Join Safe Product Vulnerabilities
- ED 21-04: Mitigate Home windows Print Spooler Service Vulnerability
- ED 22-03: Mitigate VMware Vulnerabilities
- ED 24-02: Mitigating the Important Danger from Nation-State Compromise of Microsoft Company Electronic mail System
Lots of these directives addressed vulnerabilities that had been exploited shortly and at the moment are a part of CISA’s KEV catalog.
Underneath BOD 22-01, federal civilian companies are required to patch vulnerabilities listed within the KEV catalog by particular dates set by CISA. By default, companies have as much as six months to repair flaws assigned to CVEs earlier than 2021, with newer flaws mounted inside two weeks.
Nonetheless, CISA can set considerably shorter patching timelines when deemed excessive danger.
In a latest instance, companies had been required to patch Cisco gadgets affected by the actively exploited CVE-2025-20333 and CVE-2025-20362 vulnerabilities inside at some point.
It is funds season! Over 300 CISOs and safety leaders have shared how they’re planning, spending, and prioritizing for the 12 months forward. This report compiles their insights, permitting readers to benchmark methods, determine rising developments, and examine their priorities as they head into 2026.
Learn the way prime leaders are turning funding into measurable influence.
