CISA sunsets 10 emergency directives thanks to evolution of exploited vulnerabilities catalog

Ten emergency directives issued by the U.S.’s top cybersecurity agency have been retired after officials determined they were redundant thanks in part to a widely used catalog of exploited vulnerabilities. 

The Cybersecurity and Infrastructure Security Agency (CISA) said on Thursday that the 10 directives being retired were issued between 2019 and 2024, spanning both the Trump and Biden administrations. 

The agency typically issues emergency directives to force federal civilian agencies to patch specific vulnerabilities or stop some activity being exploited by threat actors. 

CISA said it was taking the step after working with “federal agencies to drive remediation, embed best practices and overcome systemic challenges.” The directives achieved their mission to mitigate urgent and imminent risks to Federal Civilian Executive Branch (FCEB) agencies, according to CISA.

CISA Acting Director Madhu Gottumukkala explained that the agency typically leverages its authority in situations with “unacceptable risks, especially those related to hostile nation-state actors.”

“The closure of these ten Emergency Directives reflects CISA’s commitment to operational collaboration across the federal enterprise.”

CISA conducted a review of all active emergency directives and determined that these 10 were either implemented successfully or were addressed by specific vulnerabilities being added to the Known Exploited Vulnerabilities catalog.

The catalog, known colloquially as the KEV, typically sets a three-week deadline for federal civilian agencies to patch bugs that CISA knows have been exploited by threat actors. In recent months, CISA has set shorter timelines for some severe vulnerabilities added to the KEV, including one that needed to be patched within 24 hours. 

The directives being retired because they relate to bugs now in the KEV include Microsoft vulnerabilities CVE-2020-0601, CVE-2020-1350, CVE-2020-1472, CVE-2021-26855, CVE-2021-34527, and CVE-2021-22893. There is also a directive on a bug affecting VMware products being retired. 

For three other emergency directives, CISA “determined that their objectives were achieved, requirements no longer align with the current risk posture, and changes in practices have rendered the directives obsolete.”

The emergency directives are now tagged as “closed” on CISA’s website. The last two emergency directives issued by CISA concerned vulnerabilities affecting products from F5 and Cisco.