CISA Closes 10 Emergency Directives in Historic Shift

CISA announced Wednesday that it has retired ten Emergency Directives issued between 2019 and 2024—the largest bulk closure in the agency's history. The move signals a shift in how the federal government responds to cybersecurity threats, with the Known Exploited Vulnerabilities catalog now absorbing responsibilities that once required standalone urgent mandates.

The retired directives cover some of the most significant cyber incidents of the past five years: the SolarWinds supply chain compromise, Microsoft Exchange server attacks, Pulse Connect Secure vulnerabilities, and the recent nation-state intrusion into Microsoft's corporate email systems.

The Ten Directives

Seven of the retired directives addressed specific CVEs that are now tracked in CISA's Known Exploited Vulnerabilities (KEV) catalog under Binding Operational Directive 22-01:

• ED 20-02: Windows Vulnerabilities from January 2020 Patch Tuesday
• ED 20-03: Windows DNS Server Vulnerability (July 2020)
• ED 20-04: Netlogon Elevation of Privilege (August 2020)
• ED 21-02: Microsoft Exchange On-Premises Product Vulnerabilities
• ED 21-03: Pulse Connect Secure Product Vulnerabilities
• ED 21-04: Windows Print Spooler Service Vulnerability
• ED 22-03: VMware Vulnerabilities

Three additional directives were retired because CISA determined their objectives had been met:

• ED 19-01: Mitigate DNS Infrastructure Tampering
• ED 21-01: Mitigate SolarWinds Orion Code Compromise
• ED 24-02: Mitigating the Significant Risk from Nation-State Compromise of Microsoft Corporate Email System

Why Now?

CISA Acting Director Madhu Gottumukkala framed the closures as evidence of successful collaboration rather than reduced vigilance: "The closure of these ten Emergency Directives reflects CISA's commitment to operational collaboration across the federal enterprise."

The agency explained that required actions from these directives have either been completed or folded into BOD 22-01, which requires Federal Civilian Executive Branch agencies to remediate KEV catalog entries within specified timeframes.

This consolidation makes practical sense. Emergency Directives require significant administrative overhead—each mandates specific actions, reporting timelines, and compliance verification. The KEV catalog, by contrast, provides a single authoritative list that agencies can operationalize through existing patch management processes.

What Changes for Federal Agencies

For federal IT teams, not much changes operationally. The vulnerabilities covered by the retired CVE-specific directives remain in the KEV catalog with the same remediation requirements. Agencies still must patch them within the specified windows or face potential compliance issues.

The objective-based directives—SolarWinds, DNS tampering, and the Microsoft corporate email compromise—represent completed incident response efforts. CISA determined that "changes in practices have rendered the directives obsolete." Agencies have already implemented the required mitigations.

The KEV Catalog's Growing Role

This retirement underscores the KEV catalog's evolution from a supplementary resource to the primary mechanism for communicating urgent federal patching requirements. Since its November 2021 launch, the catalog has grown to over 1,200 entries and drives remediation timelines across all FCEB agencies.

The catalog approach offers advantages over emergency directives: faster updates, easier tracking, and integration with commercial vulnerability management tools. Security vendors have built KEV catalog support into their products, making compliance more automated than responding to individual directives.

But the approach has limitations. Some threats—like the SolarWinds supply chain attack or the Microsoft corporate email compromise—require coordinated incident response beyond patching. Emergency directives remain available for situations where the KEV catalog alone cannot address the threat.

Why This Matters

The directive closures mark a maturation in federal cybersecurity operations. Five years ago, each major vulnerability required a separate emergency mandate with bespoke requirements. Today, CISA can add entries to a single authoritative list and expect agencies to act without directive-specific guidance.

This doesn't mean fewer threats or reduced urgency. CISA added two vulnerabilities to the KEV catalog just days before announcing the directive retirements. The catalog currently requires FCEB agencies to remediate certain flaws within as little as two weeks of addition.

The shift does suggest that federal cybersecurity has moved past the "emergency response to everything" phase into something more sustainable. Whether that sustainability holds against the next SolarWinds-scale incident remains to be seen.