Following a comprehensive review of its active cyber mandates, the U.S. government’s cybersecurity agency has retired a large set of emergency orders, marking a rare bulk closure tied to improved risk coverage and compliance.
The Cybersecurity and Infrastructure Security Agency said it has formally closed 10 Emergency Directives issued between 2019 and 2024, after determining that required mitigation actions have either been completed or are now covered under Binding Operational Directive 22-01. CISA said this is the largest number of Emergency Directives it has withdrawn at one time.
“By statute, CISA issues Emergency Directives to rapidly mitigate emerging threats and to minimize the impact by limiting directives to the shortest time possible,” the agency said.
“Following a comprehensive review of all active directives, CISA determined that required actions have been successfully implemented or are now encompassed through Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities.”
BOD 22-01 relies on CISA’s Known Exploited Vulnerabilities catalog to alert federal civilian agencies about actively exploited security flaws and sets mandatory timelines for patching affected systems.
Emergency Directives are issued only to address urgent and immediate cyber risks and remain active only for as long as necessary. Many of the now-closed directives addressed vulnerabilities that were rapidly exploited at the time and have since been added to the KEV catalog.
The 10 Emergency Directives retired include actions related to DNS infrastructure tampering, multiple Windows vulnerabilities, Netlogon privilege escalation, the SolarWinds Orion compromise, Microsoft Exchange on-premises flaws, Pulse Connect Secure issues, Windows Print Spooler risks, VMware vulnerabilities, and a nation-state compromise of Microsoft corporate email systems.
Under BOD 22-01, federal civilian agencies must patch cyber vulnerabilities listed in the KEV catalog by deadlines set by CISA. By default, agencies have up to 6 months to fix vulnerabilities tied to CVEs disclosed before 2021, while newer flaws must be addressed within 2 weeks.
CISA retains the authority to shorten these timelines when risks are considered severe. In a recent case, agencies were instructed to patch Cisco devices affected by the actively exploited CVE-2025-20333 and CVE-2025-20362 vulnerabilities within 1 day.
The move signals a shift from emergency-driven mandates to standardized, continuous vulnerability management across federal systems.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
