The US Cybersecurity and Infrastructure Security Agency (CISA) withdrew ten emergency orders (EDs) it issued between 2019 and 2024, saying they had served their purpose and were no longer needed.
In a brief announcement on its website, CISA said EDs have either been successfully implemented or are now included in Binding Operational Directive (BOD) 22-01, making them obsolete.
“When warranted by the threat landscape, CISA requires swift and decisive action by federal Civilian Executive Branch (FCEB) agencies and continues to issue guidance as necessary to support the rapid reduction of cyber risks at federal enterprises,” said Madhu Gottumukkala, acting director of CISA.
Security by Design Principles
BOD 22-1: Reducing Significant Risk from Known Exploited Vulnerabilities is a mandatory federal cybersecurity policy first issued on November 3, 2021. It requires federal Civilian Executive Branch (FCEB) agencies to focus their vulnerability management efforts on a select list of known exploited vulnerabilities (KEVs) that pose significant risk. The policy creates a CISA-managed catalog of these actively exploited vulnerabilities and establishes strict remediation timelines, requiring agencies to remediate or mitigate them within specific timeframes.
Therefore, this mandatory policy has removed the following emergency instructions:
ED 19-01: Stop manipulation of DNS infrastructure
ED 20-02: Fixes January 2020 Patch Tuesday Windows vulnerabilities
ED 20-03: Fixes Windows DNS server vulnerability starting July 2020 Patch Tuesday
ED 20-04: Fixed Netlogon elevation of privilege vulnerability as of August 2020 Patch Tuesday
ED 21-01: Reduce SolarWinds Orion code commits
ED 21-02: Reduce vulnerabilities in on-premises Microsoft Exchange products
ED 21-03: Mitigate vulnerabilities in the Pulse Connect secure product
ED 21-04: Fix vulnerability in the Windows Print Spooler service
ED 22-03: Mitigate VMware Vulnerabilities
ED 24-02: Mitigate significant risk of email compromise between government and Microsoft Enterprise
CISA also said this was the largest number of CEOs retiring at the same time.
“The finalization of these ten emergency guidelines reflects CISA’s commitment to operational collaboration across the federal enterprise. Looking ahead, CISA continues to advance security by design principles, prioritizing transparency, configurability and interoperability, so that each organization can better protect its diverse environments,” said Gottumukkala.
On BeepTeam
