The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has retired 10 Emergency Directives issued between 2019 and 2024, saying that the required actions have been accomplished or at the moment are lined by Binding Operational Directive 22-01.
CISA stated that is the most important variety of Emergency Directives it has closed at one time.
“By statute, CISA points Emergency Directives to quickly mitigate rising threats and to reduce the influence by limiting directives to the shortest time doable,” explains CISA.
“Following a complete evaluate of all energetic directives, CISA decided that required actions have been efficiently carried out or at the moment are encompassed by means of Binding Operational Directive (BOD) 22-01, Decreasing the Important Threat of Recognized Exploited Vulnerabilities. “
Binding Operational Directive 22-01 makes use of the company’s Recognized Exploited Vulnerabilities (KEV) catalog to alert federal civilian businesses of actively exploited flaws and when techniques should be patched towards them.
Emergency Directives are supposed to deal with pressing dangers and stay in place solely so long as wanted.
The entire record of Emergency Directives closed as we speak is:
- ED 19-01: Mitigate DNS Infrastructure Tampering
- ED 20-02: Mitigate Home windows Vulnerabilities from January 2020 Patch Tuesday
- ED 20-03: Mitigate Home windows DNS Server Vulnerability from July 2020 Patch Tuesday
- ED 20-04: Mitigate Netlogon Elevation of Privilege Vulnerability from August 2020 Patch Tuesday
- ED 21-01: Mitigate SolarWinds Orion Code Compromise
- ED 21-02: Mitigate Microsoft Alternate On-Premises Product Vulnerabilities
- ED 21-03: Mitigate Pulse Join Safe Product Vulnerabilities
- ED 21-04: Mitigate Home windows Print Spooler Service Vulnerability
- ED 22-03: Mitigate VMware Vulnerabilities
- ED 24-02: Mitigating the Important Threat from Nation-State Compromise of Microsoft Company E mail System
A lot of these directives addressed vulnerabilities that had been exploited shortly and at the moment are a part of CISA’s KEV catalog.
Beneath BOD 22-01, federal civilian businesses are required to patch vulnerabilities listed within the KEV catalog by particular dates set by CISA. By default, businesses have as much as six months to repair flaws assigned to CVEs earlier than 2021, with newer flaws mounted inside two weeks.
Nevertheless, CISA can set considerably shorter patching timelines when deemed excessive threat.
In a latest instance, businesses had been required to patch Cisco units affected by the actively exploited CVE-2025-20333 and CVE-2025-20362 vulnerabilities inside at some point.
It is price range season! Over 300 CISOs and safety leaders have shared how they’re planning, spending, and prioritizing for the yr forward. This report compiles their insights, permitting readers to benchmark methods, establish rising traits, and examine their priorities as they head into 2026.
Learn the way prime leaders are turning funding into measurable influence.
