- CISA withdrew ten emergency directives, citing successful implementation or redundancy under BOD 22-01.
- BOD 22-01 requires agencies to remediate known exploited vulnerabilities (KEV) within strict deadlines
- This is the largest simultaneous withdrawal of ED, reinforcing CISA’s Secure by Design principles.
The US Cybersecurity and Infrastructure Security Agency (CISA) has withdrawn ten emergency directives (EDs) it issued between 2019 and 2024, saying they had served their purpose and were no longer necessary.
In a brief announcement posted on its website, CISA said the EDs have either been successfully implemented or are now included in Binding Operational Directive (BOD) 22-01, making them redundant.
“When the threat landscape demands it, CISA requires rapid and decisive action from Federal Civilian Executive Branch (FCEB) agencies and continues to issue guidance as necessary to support rapid reduction of cyber risks across federal enterprises,” said Madhu Gottumukkala, Acting Director of CISA.
Security principles by design
BOD 22-1: Reducing the Significant Risk of Known Exploited Vulnerabilities is a mandatory federal cybersecurity directive first issued on November 3, 2021. It requires federal Civilian Executive Branch (FCEB) agencies to focus their vulnerability management efforts on a curated list of known exploited vulnerabilities (KEVs) that pose a significant risk. The directive establishes a CISA-managed catalog of these actively exploited vulnerabilities and sets strict deadlines for remediation, requiring agencies to correct or otherwise mitigate them within specified time frames.
This binding directive thus removed the following emergency directives:
ED 19-01: Mitigating DNS Infrastructure Tampering
ED 20-02: Mitigate Windows Vulnerabilities from January 2020 Patch Tuesday
ED 20-03: Mitigate Windows DNS Server Vulnerability from July 2020 Patch Tuesday
ED 20-04: Mitigate Netlogon Elevation of Privilege Vulnerability from August 2020 Patch Tuesday
ED 21-01: Mitigate SolarWinds Orion Code Compromises
ED 21-02: Mitigate vulnerabilities in on-premises Microsoft Exchange products
ED 21-03: Mitigate Pulse Connect Secure Product Vulnerabilities
ED 21-04: Mitigation of Windows Print Spooler Service Vulnerability
ED 22-03: Mitigate VMware Vulnerabilities
ED 24-02: Mitigation of Significant Risk of Government-Microsoft Enterprise Email Compromise
CISA also said this is the largest number of CEOs to retire at one time.
“The closing of these ten emergency directives reflects CISA’s commitment to operational collaboration across the federal enterprise. Looking forward, CISA continues to advance security by design principles – prioritizing transparency, configurability, and interoperability – so that each organization can better defend its diverse environments,” says Gottumukkala.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
