The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has announced the retirement of ten Emergency Directives (EDs) issued between 2019 and 2024. This significant move marks the largest bulk closure of such directives in the agency's history, signaling a maturation of federal cybersecurity defenses and the successful mitigation of numerous urgent threats.

Key Takeaways

• Ten Emergency Directives issued between 2019 and 2024 have been retired.

• The retirement reflects the successful implementation of required actions or their incorporation into existing operational directives.

• The Known Exploited Vulnerabilities (KEV) catalog and Binding Operational Directive (BOD) 22-01 now cover many of the threats previously addressed by EDs.

• This action underscores CISA's commitment to collaboration and adapting to evolving cybersecurity landscapes.

Transition to a More Resilient Infrastructure

CISA issues Emergency Directives to compel Federal Civilian Executive Branch (FCEB) agencies to address urgent and imminent cybersecurity risks. The agency stated that these directives have achieved their mission, either through successful remediation by agencies or by being superseded by more comprehensive measures. This transition signifies a move towards a more resilient and proactive federal digital infrastructure.

The Role of the KEV Catalog and BOD 22-01

A primary driver for the retirement of these directives is the increasing effectiveness of CISA's Known Exploited Vulnerabilities (KEV) catalog. Binding Operational Directive (BOD) 22-01 mandates that federal agencies address vulnerabilities listed in the KEV catalog within specific, often short, timeframes. Seven of the retired directives pertained to vulnerabilities now cataloged in KEV, meaning agencies are already required to patch these flaws.

Directives Addressing Specific Threats

The retired directives covered a range of critical cybersecurity incidents and vulnerabilities, including:

• Mitigation of DNS infrastructure tampering (ED 19-01).

• Addressing various Windows vulnerabilities from 2020 Patch Tuesdays (ED 20-02, ED 20-03, ED 20-04).

• The SolarWinds Orion code compromise (ED 21-01).

• Microsoft Exchange On-Premises product vulnerabilities (ED 21-02).

• Pulse Connect Secure product vulnerabilities (ED 21-03).

• Windows Print Spooler service vulnerabilities (ED 21-04).

• VMware vulnerabilities (ED 22-03).

• Mitigating nation-state compromise of Microsoft Corporate Email Systems (ED 24-02).

For three directives, CISA determined that their objectives were fully achieved, and evolving practices rendered them obsolete. This includes the directive addressing the SolarWinds incident and the nation-state compromise of Microsoft email systems.

Commitment to Secure by Design

CISA Acting Director Madhu Gottumukkala emphasized the agency's dedication to operational collaboration across the federal enterprise. He noted that CISA's team continuously works with partners to eliminate persistent threats and provide real-time mitigation guidance. Looking forward, CISA remains committed to advancing Secure by Design principles, prioritizing transparency, configurability, and interoperability to enhance the security of diverse digital environments.

Sources

• CISA Retires 10 Emergency Cybersecurity Directives Issued Between 2019 and 2024, The Hacker News.

• CISA Closes 10 Emergency Directives as Vulnerability Catalog Takes Over, SecurityWeek.

• CISA sunsets 10 emergency directives thanks to evolution of exploited vulnerabilities catalog, The Record from Recorded Future News.

• CISA retires 10 emergency cyber orders in rare bulk closure, BleepingComputer.

• CISA Retires Ten Emergency Directives Following Milestone Achievement, Cyber Security News.