The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has retired 10 Emergency Directives issued between 2019 and 2024, saying that the required actions have been accomplished or at the moment are lined by Binding Operational Directive 22-01.
CISA mentioned that is the most important variety of Emergency Directives it has closed at one time.
“By statute, CISA points Emergency Directives to quickly mitigate rising threats and to attenuate the influence by limiting directives to the shortest time potential,” explains CISA.
“Following a complete overview of all lively directives, CISA decided that required actions have been efficiently carried out or at the moment are encompassed via Binding Operational Directive (BOD) 22-01, Lowering the Vital Danger of Identified Exploited Vulnerabilities. “
Binding Operational Directive 22-01 makes use of the company’s Identified Exploited Vulnerabilities (KEV) catalog to alert federal civilian businesses of actively exploited flaws and when methods have to be patched towards them.
Emergency Directives are supposed to tackle pressing dangers and stay in place solely so long as wanted.
The entire listing of Emergency Directives closed at the moment is:
- ED 19-01: Mitigate DNS Infrastructure Tampering
- ED 20-02: Mitigate Home windows Vulnerabilities from January 2020 Patch Tuesday
- ED 20-03: Mitigate Home windows DNS Server Vulnerability from July 2020 Patch Tuesday
- ED 20-04: Mitigate Netlogon Elevation of Privilege Vulnerability from August 2020 Patch Tuesday
- ED 21-01: Mitigate SolarWinds Orion Code Compromise
- ED 21-02: Mitigate Microsoft Trade On-Premises Product Vulnerabilities
- ED 21-03: Mitigate Pulse Join Safe Product Vulnerabilities
- ED 21-04: Mitigate Home windows Print Spooler Service Vulnerability
- ED 22-03: Mitigate VMware Vulnerabilities
- ED 24-02: Mitigating the Vital Danger from Nation-State Compromise of Microsoft Company E mail System
A lot of these directives addressed vulnerabilities that have been exploited shortly and at the moment are a part of CISA’s KEV catalog.
Beneath BOD 22-01, federal civilian businesses are required to patch vulnerabilities listed within the KEV catalog by particular dates set by CISA. By default, businesses have as much as six months to repair flaws assigned to CVEs earlier than 2021, with newer flaws fastened inside two weeks.
Nevertheless, CISA can set considerably shorter patching timelines when deemed excessive danger.
In a current instance, businesses have been required to patch Cisco gadgets affected by the actively exploited CVE-2025-20333 and CVE-2025-20362 vulnerabilities inside sooner or later.
It is price range season! Over 300 CISOs and security leaders have shared how they’re planning, spending, and prioritizing for the 12 months forward. This report compiles their insights, permitting readers to benchmark methods, establish rising developments, and examine their priorities as they head into 2026.
Learn the way prime leaders are turning funding into measurable influence.
