Article Details
Scrape Timestamp (UTC): 2026-01-09 03:52:13.932
Original Article Text
Click to Toggle View
CISA retires 10 emergency cyber orders in rare bulk closure. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has retired 10 Emergency Directives issued between 2019 and 2024, saying that the required actions have been completed or are now covered by Binding Operational Directive 22-01. CISA said this is the largest number of Emergency Directives it has closed at one time. "By statute, CISA issues Emergency Directives to rapidly mitigate emerging threats and to minimize the impact by limiting directives to the shortest time possible," explains CISA. "Following a comprehensive review of all active directives, CISA determined that required actions have been successfully implemented or are now encompassed through Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities. " Binding Operational Directive 22-01 uses the agency's Known Exploited Vulnerabilities (KEV) catalog to alert federal civilian agencies of actively exploited flaws and when systems must be patched against them. Emergency Directives are meant to address urgent risks and remain in place only as long as needed. The complete list of Emergency Directives closed today is: Many of those directives addressed vulnerabilities that were exploited quickly and are now part of CISA's KEV catalog. Under BOD 22-01, federal civilian agencies are required to patch vulnerabilities listed in the KEV catalog by specific dates set by CISA. By default, agencies have up to six months to fix flaws assigned to CVEs before 2021, with newer flaws fixed within two weeks. However, CISA can set significantly shorter patching timelines when deemed high risk. In a recent example, agencies were required to patch Cisco devices affected by the actively exploited CVE-2025-20333 and CVE-2025-20362 vulnerabilities within one day. Secrets Security Cheat Sheet: From Sprawl to Control Whether you're cleaning up old keys or setting guardrails for AI-generated code, this guide helps your team build securely from the start. Get the cheat sheet and take the guesswork out of secrets management.
Daily Brief Summary
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has retired ten Emergency Directives, marking the largest bulk closure in its history.
These directives, issued between 2019 and 2024, were retired as their required actions have been completed or are now covered by Binding Operational Directive 22-01.
Binding Operational Directive 22-01 leverages the Known Exploited Vulnerabilities (KEV) catalog to mandate patching timelines for federal civilian agencies.
Agencies must patch vulnerabilities listed in the KEV catalog by specific deadlines, with older flaws requiring fixes within six months and newer ones within two weeks.
CISA retains the authority to impose shorter patching timelines for high-risk vulnerabilities, such as the recent one-day patch requirement for certain Cisco device flaws.
This strategic shift aims to streamline vulnerability management and ensure rapid response to emerging cyber threats across federal agencies.
The transition to BOD 22-01 reflects CISA's commitment to proactive risk mitigation and maintaining robust cybersecurity defenses.