The Cybersecurity and Infrastructure Security Agency (CISA) has announced the retirement of ten Emergency Directives issued between 2019-2024. Marking a significant milestone in federal cybersecurity, this is the highest number of Emergency Directives retired by the agency at one time. These directives achieved their mission to mitigate urgent and imminent risks to Federal Civilian Executive Branch (FCEB) agencies. Since their issuance, CISA has partnered closely with federal agencies to drive remediation, embed best practices and overcome systemic challenges – establishing a stronger, more resilient digital infrastructure for a more secure America.
By statute, CISA issues Emergency Directives to rapidly mitigate emerging threats and to minimize the impact by limiting directives to the shortest time possible. Following a comprehensive review of all active directives, CISA determined that required actions have been successfully implemented or are now encompassed through Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities.
“As the operational lead for federal cybersecurity, CISA leverages its authorities to strengthen federal systems and defend against unacceptable risks, especially those related to hostile nation-state actors. When the threat landscape demands it, CISA mandates swift, decisive action by Federal Civilian Executive Branch (FCEB) agencies and continues to issue directives as needed to drive timely cyber risk reduction across federal enterprise,” said CISA Acting Director Madhu Gottumukkala. “The closure of these ten Emergency Directives reflects CISA’s commitment to operational collaboration across the federal enterprise. Every day, CISA’s exceptional team works collaboratively with partners to eliminate persistent access, counter emerging threats, and deliver real-time mitigation guidance. Looking ahead, CISA continues to advance Secure by Design principles – prioritizing transparency, configurability, and interoperability - so every organization can better defend their diverse environments.”
Emergency Directives tied to specific Common Vulnerabilities and Exposures (CVEs) have been retired because those vulnerabilities are now included in CISA’s Known Exploited Vulnerabilities (KEV) catalog. These directives include EDs 2002, 2003, 2004, 2102, 2103, 2104, and 2203. For EDs 1901, 2101, and 2402, CISA determined that their objectives were achieved, requirements no longer align with the current risk posture, and changes in practices have rendered the directives obsolete.
The following Emergency Directives are now formally closed:
- ED 19-01: Mitigate DNS Infrastructure Tampering
- ED 20-02: Mitigate Windows Vulnerabilities from January 2020 Patch Tuesday
- ED 20-03: Mitigate Windows DNS Server Vulnerability from July 2020 Patch Tuesday
- ED 20-04: Mitigate Netlogon Elevation of Privilege Vulnerability from August 2020 Patch Tuesday
- ED 21-01: Mitigate SolarWinds Orion Code Compromise
- ED 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities
- ED 21-03: Mitigate Pulse Connect Secure Product Vulnerabilities
- ED 21-04: Mitigate Windows Print Spooler Service Vulnerability
- ED 22-03: Mitigate VMware Vulnerabilities
- ED 24-02: Mitigating the Significant Risk from Nation-State Compromise of Microsoft Corporate Email System
The original announcement can be found here.
