- CISA withdrew ten emergency directives citing successful implementation or redundancy under BOD 22-01
- BOD 22-01 mandates agencies to remediate known exploited vulnerabilities (KEVs) within strict deadlines
- This marks the largest simultaneous ED retirement, reinforcing CISA’s Secure by Design principles
The US Cybersecurity and Infrastructure Security Agency (CISA) withdrew ten emergency directives (ED) it issued between 2019 and 2024, saying they achieved their purpose and are no longer needed.
In a brief notice published on its website, CISA said the EDs have either been successfully implemented or are now covered by Binding Operational Directive (BOD) 22-01, making them redundant.
“When the threat landscape demands it, CISA mandates swift, decisive action by Federal Civilian Executive Branch (FCEB) agencies and continues to issue directives as needed to promote timely cyber risk mitigation across federal enterprises,” said CISA Acting Director Madhu Gottumukkala.
Secure by Design principles
BOD 22-1: Reducing the Significant Risk of Known Exploited Vulnerabilities is a mandatory federal cybersecurity directive that was first issued on November 3, 2021. It requires Federal Civilian Executive Branch Agencies (FCEB) to focus their vulnerability management efforts on a curated list of known risks exploiting vulnerabilities (KEV). The directive establishes a CISA-controlled catalog of these actively exploited flaws and sets strict deadlines for remediation, forcing agencies to repair or otherwise mitigate them within specified time frames.
This binding directive has thus removed the following emergency directives:
ED 19-01: Mitigate manipulation of DNS infrastructure
ED 20-02: Fix Windows vulnerabilities from January 2020 Patch Tuesday
ED 20-03: Remedy Windows DNS Server vulnerability from July 2020 Patch Tuesday
ED 20-04: Reduce Netlogon Elevation of Privilege vulnerability from August 2020 Patch Tuesday
ED 21-01: Mitigated SolarWinds Orion code compromise
ED 21-02: Remediate Microsoft Exchange On-Premises product vulnerabilities
ED 21-03: Reduce Pulse Connect Secure Product Vulnerabilities
ED 21-04: Address Windows Print Spooler Service vulnerability
ED 22-03: Remediate VMware vulnerabilities
ED 24-02: Mitigating the Significant Risk of Nation-State Compromise of the Microsoft Corporate Email System
CISA also said this is the highest number of EDs to have been retired at one time.
“The closing of these ten emergency directives reflects CISA’s commitment to operational collaboration across the federal enterprise. Looking forward, CISA continues to advance the Secure by Design principles – prioritizing transparency, configurability and interoperability – so that every organization can better defend their diverse environments,” explains Gottumukkala.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
