- CISA withdrew ten emergency directives, citing successful implementation or redundancy under BOD 22-01
- BOD 22-01 Requires Agencies to Patch Known Exploited Vulnerabilities (KEV) Within Strict Timelines
- This marks the largest simultaneous withdrawal of emergencies, reinforcing CISA’s Secure by Design principles.
The US Cybersecurity and Infrastructure Security Agency (CISA) withdrew ten Emergency Directives (EDs) it issued between 2019 and 2024, saying they achieved their purpose and are no longer needed.
In a brief announcement posted on its website, CISA said EDs have either been successfully implemented or are now covered by Binding Operational Directive (BOD) 22-01, making them redundant.
“When the threat landscape demands it, CISA demands swift and decisive action by Federal Civil Executive Branch (FCEB) agencies and continues to issue directives as necessary to drive timely cyber risk reduction across the federal enterprise,” said CISA Acting Director Madhu Gottumukkala.
Security by Design Principles
BOD 22-1: Reducing Significant Risk from Known Exploited Vulnerabilities is a mandatory federal cybersecurity directive first issued on November 3, 2021. It requires Federal Civil Executive Branch Agencies (FCEB) to focus their vulnerability management efforts on a select list of known exploited vulnerabilities (KEVs) that pose significant risk. The directive establishes a CISA-managed catalog of these actively exploited flaws and sets strict deadlines for their remediation, forcing agencies to patch or mitigate them within specific timeframes.
Therefore, this binding directive has removed the following emergency directives:
ED 19-01: Mitigate manipulation of DNS infrastructure
ED 20-02: Mitigate Windows vulnerabilities since January 2020 Patch Tuesday
ED 20-03: Mitigate Windows DNS server vulnerability since July 2020 Patch Tuesday
ED 20-04: Mitigate Netlogon elevation of privilege vulnerability since August 2020 Patch Tuesday
ED 21-01: Mitigate SolarWinds Orion Code Compromise
ED 21-02: Mitigate vulnerabilities in on-premises Microsoft Exchange products
ED 21-03: Mitigate vulnerabilities in Pulse Connect secure products
ED 21-04: Mitigate Windows Print Spooler Service Vulnerability
ED 22-03: Mitigate VMware Vulnerabilities
ED 24-02: Mitigate the significant risk of nation-state compromise of Microsoft’s corporate email system
CISA also said that this is the largest number of DEs removed at the same time.
“The closing of these ten Emergency Directives reflects CISA’s commitment to operational collaboration across the federal enterprise. Looking ahead, CISA continues to advance the principles of Security by Design, prioritizing transparency, configurability and interoperability, so that each organization can better defend its diverse environments,” explains Gottumukkala.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
