WASHINGTON – Today, the Cybersecurity and Infrastructure Security Agency (CISA) announced the successful retirement of ten Emergency Directives issued between 2019-2024. Marking a significant milestone in federal cybersecurity, this is the highest number of Emergency Directives retired by the agency at one time. These directives achieved their mission to mitigate urgent and imminent risks to Federal Civilian Executive Branch (FCEB) agencies. Since their issuance, CISA has partnered closely with federal agencies to drive remediation, embed best practices and overcome systemic challenges – establishing a stronger, more resilient digital infrastructure for a more secure America.
By statute, CISA issues Emergency Directives to rapidly mitigate emerging threats and to minimize the impact by limiting directives to the shortest time possible. Following a comprehensive review of all active directives, CISA determined that required actions have been successfully implemented or are now encompassed through Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities.
“As the operational lead for federal cybersecurity, CISA leverages its authorities to strengthen federal systems and defend against unacceptable risks, especially those related to hostile nation-state actors. When the threat landscape demands it, CISA mandates swift, decisive action by Federal Civilian Executive Branch (FCEB) agencies and continues to issue directives as needed to drive timely cyber risk reduction across federal enterprise,” said CISA Acting Director Madhu Gottumukkala. “The closure of these ten Emergency Directives reflects CISA’s commitment to operational collaboration across the federal enterprise. Every day, CISA’s exceptional team works collaboratively with partners to eliminate persistent access, counter emerging threats, and deliver real-time mitigation guidance. Looking ahead, CISA continues to advance Secure by Design principles – prioritizing transparency, configurability, and interoperability - so every organization can better defend their diverse environments.”
Emergency Directives tied to specific Common Vulnerabilities and Exposures (CVEs) have been retired because those vulnerabilities are now included in CISA’s Known Exploited Vulnerabilities (KEV) catalog. These directives include EDs 2002, 2003, 2004, 2102, 2103, 2104, and 2203. For EDs 1901, 2101, and 2402, CISA determined that their objectives were achieved, requirements no longer align with the current risk posture, and changes in practices have rendered the directives obsolete.
The following Emergency Directives are now formally closed:
- ED 19-01: Mitigate DNS Infrastructure Tampering
- ED 20-02: Mitigate Windows Vulnerabilities from January 2020 Patch Tuesday
- ED 20-03: Mitigate Windows DNS Server Vulnerability from July 2020 Patch Tuesday
- ED 20-04: Mitigate Netlogon Elevation of Privilege Vulnerability from August 2020 Patch Tuesday
- ED 21-01: Mitigate SolarWinds Orion Code Compromise
- ED 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities
- ED 21-03: Mitigate Pulse Connect Secure Product Vulnerabilities
- ED 21-04: Mitigate Windows Print Spooler Service Vulnerability
- ED 22-03: Mitigate VMware Vulnerabilities
- ED 24-02: Mitigating the Significant Risk from Nation-State Compromise of Microsoft Corporate Email System
CISA is committed to evolving federal cybersecurity practices and ensuring sustained protection against the most critical and multiplying risks. For more information on CISA Directives, visit Cybersecurity Directives.
###
About CISA
As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.
Visit CISA.gov for more information and follow us on X, Facebook, LinkedIn, Instagram.