- CISA retired ten Emergency Directives, citing successful implementation or redundancy under BOD 22-01
- BOD 22-01 mandates agencies patch known exploited vulnerabilities (KEVs) within strict deadlines
- This marks the largest simultaneous ED retirement, reinforcing CISA’s Secure by Design principles
The US Cybersecurity and Infrastructure Security Agency (CISA) retired ten Emergency Directives (ED) it issued between 2019 and 2024, saying they achieved their purpose and are no longer needed.
In a short announcement published on its website, CISA said the EDs have either been successfully implemented or are now encompassed through Binding Operational Directive (BOD) 22-01, making them redundant.
“When the threat landscape demands it, CISA mandates swift, decisive action by Federal Civilian Executive Branch (FCEB) agencies and continues to issue directives as needed to drive timely cyber risk reduction across federal enterprise,” said CISA Acting Director Madhu Gottumukkala.
Secure by Design principles
BOD 22-1: Reducing the Significant Risk of Known Exploited Vulnerabilities is a compulsory federal cybersecurity directive first issued on November 3, 2021. It requires Federal Civilian Executive Branch Agencies (FCEB) to focus their vulnerability-management efforts on a curated list of known exploited vulnerabilities (KEVs) that pose significant risk. The directive establishes a CISA-managed catalog of these actively exploited flaws and sets strict deadlines for remediation, compelling agencies to patch or otherwise mitigate them within specified timeframes.
This binding directive has thus retired the following Emergency Directives:
ED 19-01: Mitigate DNS Infrastructure Tampering
ED 20-02: Mitigate Windows Vulnerabilities from January 2020 Patch Tuesday
ED 20-03: Mitigate Windows DNS Server Vulnerability from July 2020 Patch Tuesday
ED 20-04: Mitigate Netlogon Elevation of Privilege Vulnerability from August 2020 Patch Tuesday
ED 21-01: Mitigate SolarWinds Orion Code Compromise
ED 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities
ED 21-03: Mitigate Pulse Connect Secure Product Vulnerabilities
ED 21-04: Mitigate Windows Print Spooler Service Vulnerability
ED 22-03: Mitigate VMware Vulnerabilities
ED 24-02: Mitigating the Significant Risk from Nation-State Compromise of Microsoft Corporate Email System
CISA also said that this is the highest number of EDs retired at one time.
“The closure of these ten Emergency Directives reflects CISA’s commitment to operational collaboration across the federal enterprise. Looking ahead, CISA continues to advance Secure by Design principles – prioritizing transparency, configurability, and interoperability - so every organization can better defend their diverse environments,” Gottumukkala explains.
Via BleepingComputer
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
