CISA Retires 10 Emergency Cyber Directives in Bulk Move
▼ Summary
– CISA has retired 10 Emergency Directives from 2019-2024, marking its largest single closure of such directives.
– The directives were closed because their required actions are now complete or covered by Binding Operational Directive (BOD) 22-01.
– Emergency Directives are statutory tools for rapid threat mitigation and are designed to be temporary.
– BOD 22-01 mandates federal agencies to patch vulnerabilities from CISA’s Known Exploited Vulnerabilities catalog by set deadlines.
– Patching timelines under BOD 22-01 can be very short, as shown by a recent one-day requirement for critical Cisco flaws.
In a significant administrative shift, the U.S. Cybersecurity and Infrastructure Security Agency has retired ten of its Emergency Directives in a single action. The agency confirmed that the required security measures outlined in these directives, issued from 2019 through 2024, have now been fully implemented or are superseded by the broader framework of Binding Operational Directive 22-01. This directive, focused on reducing risks from known exploited vulnerabilities, now serves as the primary mechanism for mandating federal agency actions.
This bulk retirement marks the largest number of such directives CISA has closed simultaneously. The agency is authorized by statute to issue Emergency Directives as a tool for rapid response, designed to mitigate emerging cyber threats with time-limited mandates. Following a thorough review, officials determined the specific urgent risks that prompted these ten directives have been adequately addressed. The required actions are either complete or have been effectively integrated into the ongoing requirements of BOD 22-01.
Binding Operational Directive 22-01 operates by leveraging CISA’s Known Exploited Vulnerabilities catalog. This public list identifies software flaws that are under active attack, providing federal civilian agencies with clear mandates and deadlines for applying patches. The retirement of the older Emergency Directives streamlines the process, centralizing authority under this more permanent directive. Many of the vulnerabilities originally addressed by the retired directives are now cataloged in the KEV, making them subject to BOD 22-01’s continuous oversight.
The operational requirements under BOD 22-01 are stringent. Federal agencies must remediate vulnerabilities listed in the KEV catalog according to deadlines set by CISA. Generally, flaws with Common Vulnerabilities and Exposures identifiers dated before 2021 allow for a patching window of up to six months. However, for newer, actively exploited vulnerabilities, the standard deadline is dramatically shorter, typically requiring action within two weeks. CISA retains the authority to mandate even faster remediation when a threat is deemed critically severe.
This authority was recently demonstrated with vulnerabilities affecting Cisco devices, identified as CVE-2025-20333 and CVE-2025-20362. Due to their active exploitation and high risk, CISA required all federal civilian agencies to patch affected systems within a single day. This example underscores the directive’s flexibility and the agency’s commitment to enforcing swift action against the most dangerous threats, even as it consolidates and retires older, more specific emergency orders.
(Source: Bleeping Computer)
