The Cybersecurity and Infrastructure Security Agency (CISA) announced recently that it had retired 10 Emergency Directives issued between 2019 and 2024.
The emergency directives had been issued, per statute, to mitigate emerging threats and to minimize impact. Officials said the emergency directors were tied to specific Common Vulnerabilities and Exposures, and were retired because those vulnerabilities are not included in CISA’s Known Exploited Vulnerabilities (KEV) catalog. CISA said it had determined their objectives had been met, and their requirements no longer aligned with the current risk posture, rendering them obsolete.
“As the operational lead for federal cybersecurity, CISA leverages its authorities to strengthen federal systems and defend against unacceptable risks, especially those related to hostile nation-state actors. When the threat landscape demands it, CISA mandates swift, decisive action by Federal Civilian Executive Branch (FCEB) agencies and continues to issue directives as needed to drive timely cyber risk reduction across federal enterprise,” CISA Acting Director Madhu Gottumukkala said. “The closure of these ten Emergency Directives reflects CISA’s commitment to operational collaboration across the federal enterprise. Every day, CISA’s exceptional team works collaboratively with partners to eliminate persistent access, counter emerging threats, and deliver real-time mitigation guidance. Looking ahead, CISA continues to advance Secure by Design principles – prioritizing transparency, configurability, and interoperability – so every organization can better defend their diverse environments.”
Officials said it was the highest number of emergency directives retired by the agency at one time.
The closed emergency directives include:
- ED 19-01: Mitigate DNS Infrastructure Tampering
- ED 20-02: Mitigate Windows Vulnerabilities from January 2020 Patch Tuesday
- ED 20-03: Mitigate Windows DNS Server Vulnerability from July 2020 Patch Tuesday
- ED 21-01: Mitigate SolarWinds Orion Code Compromise
- ED 24-02: Mitigating the Significant Risk from Nation-State Compromise of Microsoft Corporate Email System