CISA's Historic Retirement of 10 Emergency Directives: Advancing Federal Cybersecurity Resilience

In a landmark move that underscores the evolving landscape of federal cybersecurity, the Cybersecurity and Infrastructure Security Agency (CISA) has announced the retirement of ten Emergency Directives issued between 2019 and 2024. This decision, revealed on January 8, 2026, represents the largest number of such directives closed simultaneously in the agency's history. It highlights the successful completion of critical mitigation efforts and the integration of these measures into broader, ongoing frameworks designed to bolster the nation's digital defenses.

CISA, established as part of the Department of Homeland Security, serves as the operational lead for federal cybersecurity. Its mission encompasses protecting critical infrastructure, coordinating responses to cyber threats, and issuing directives to Federal Civilian Executive Branch (FCEB) agencies. Emergency Directives are among CISA's most powerful tools, mandated by statute to address imminent and severe risks. These directives require swift action from agencies to mitigate vulnerabilities that could lead to significant breaches, data loss, or disruptions to essential services. Unlike advisory guidance, Emergency Directives carry the force of law for federal entities, ensuring rapid remediation in the face of urgent threats.

The retirement of these ten directives signals a maturation in federal cybersecurity practices. After a thorough review, CISA determined that the required actions had either been fully implemented across agencies or had been effectively incorporated into Binding Operational Directive (BOD) 22-01. Issued in November 2021, BOD 22-01 focuses on reducing the significant risk posed by Known Exploited Vulnerabilities (KEV). This directive established a centralized catalog managed by CISA, listing vulnerabilities that have been actively exploited in real-world attacks. Agencies are required to remediate these KEVs within strict timelines, typically weeks, to minimize exposure. By integrating the elements of the retired Emergency Directives into this framework, CISA ensures ongoing vigilance without the need for standalone mandates.

Seven of the retired directives were tied to specific Common Vulnerabilities and Exposures (CVEs), which are now part of the KEV catalog. This transition allows for sustained monitoring and enforcement through BOD 22-01. The remaining three directives were deemed obsolete because their objectives had been achieved, and shifts in technology and practices had altered the risk landscape. This strategic closure not only streamlines federal cybersecurity operations but also frees resources for addressing emerging threats, such as those from nation-state actors.

The Retired Directives: A Closer Look

To appreciate the scope of this achievement, it is essential to examine each of the ten retired Emergency Directives. Each one addressed a pressing cybersecurity issue at the time of issuance, often in response to widespread exploitation or high-profile incidents. Here is a detailed overview:

• ED 19-01: Mitigate DNS Infrastructure Tampering (Issued 2019) - This directive tackled a sophisticated campaign involving Domain Name System (DNS) hijacking, where attackers redirected traffic to malicious servers. It required agencies to enhance DNS security protocols, audit configurations, and implement multi-factor authentication for administrative access. The threat, linked to state-sponsored actors, could have compromised sensitive government communications and data integrity.
• ED 20-02: Mitigate Windows Vulnerabilities from January 2020 Patch Tuesday (Issued 2020) - Focused on critical flaws in Microsoft Windows systems revealed during the January 2020 security updates. These vulnerabilities allowed remote code execution, potentially enabling attackers to take control of affected machines. Agencies were instructed to apply patches immediately and verify system integrity to prevent widespread infiltration.
• ED 20-03: Mitigate Windows DNS Server Vulnerability from July 2020 Patch Tuesday (Issued 2020) - This addressed a severe wormable vulnerability in Windows DNS servers, known as CVE-2020-1350 or SIGRed. Exploitation could lead to domain-wide compromises without user interaction. The directive mandated patching and network segmentation to curb potential propagation similar to past worms like WannaCry.
• ED 20-04: Mitigate Netlogon Elevation of Privilege Vulnerability from August 2020 Patch Tuesday (Issued 2020) - Targeting CVE-2020-1472, dubbed Zerologon, this flaw allowed unauthenticated attackers to gain domain administrator privileges. It posed a risk to Active Directory environments. Agencies had to deploy patches and monitor for exploitation attempts, averting potential total network takeovers.
• ED 21-01: Mitigate SolarWinds Orion Code Compromise (Issued 2021) - In response to the infamous SolarWinds supply chain attack, attributed to Russian hackers, this directive required agencies to isolate affected Orion software, reset credentials, and conduct forensic analyses. The breach had exposed numerous federal networks, highlighting the dangers of third-party software vulnerabilities.
• ED 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities (Issued 2021) - Addressing a series of zero-day exploits in Microsoft Exchange servers, exploited by Chinese state actors in the Hafnium campaign. These flaws enabled web shell deployment and data exfiltration. The directive enforced patching, removal of malicious artifacts, and enhanced monitoring to protect email infrastructures.
• ED 21-03: Mitigate Pulse Connect Secure Product Vulnerabilities (Issued 2021) - This targeted flaws in Ivanti's Pulse Connect Secure VPN appliances, which were being exploited for unauthorized access. Agencies were required to update firmware, revoke compromised sessions, and implement least-privilege access controls to prevent lateral movement within networks.
• ED 21-04: Mitigate Windows Print Spooler Service Vulnerability (Issued 2021) - Focused on PrintNightmare (CVE-2021-34527), a spooler vulnerability allowing privilege escalation and remote code execution. The directive called for disabling the print spooler on non-essential systems and applying security updates, addressing a flaw that affected millions of Windows devices.
• ED 22-03: Mitigate VMware Vulnerabilities (Issued 2022) - Dealing with critical issues in VMware products, including authentication bypass and remote code execution flaws. Exploitation could lead to full virtualization environment compromises. Agencies had to patch systems and isolate vulnerable instances to safeguard cloud and on-premises infrastructures.
• ED 24-02: Mitigating the Significant Risk from Nation-State Compromise of Microsoft Corporate Email System (Issued 2024) - This directive responded to a breach in Microsoft's corporate email systems by Russian hackers, risking exposure of sensitive correspondence. It required enhanced email security measures, including advanced threat detection and credential hygiene, to counter persistent access by advanced persistent threats.

These directives collectively addressed a wide array of threats, from software vulnerabilities to supply chain compromises, demonstrating CISA's proactive stance against both opportunistic and targeted attacks.

Significance and Broader Implications

The simultaneous retirement of these directives is more than an administrative cleanup; it marks a pivotal era in federal cybersecurity. As CISA Acting Director Madhu Gottumukkala stated, this action reflects the agency's commitment to operational collaboration across the federal enterprise. Every day, CISA's teams work with partners to eliminate persistent access, counter emerging threats, and deliver real-time mitigation guidance. Looking forward, CISA is advancing Secure by Design principles, prioritizing transparency, configurability, and interoperability to help organizations defend diverse environments.

By shifting focus to the KEV catalog under BOD 22-01, CISA ensures that vulnerability management is dynamic and evidence-based. The KEV list, which now includes over thousands of entries, prioritizes flaws known to be exploited in the wild, allowing agencies to allocate resources efficiently. This approach has proven effective, with studies showing reduced incident rates among compliant entities. For the private sector, while BOD 22-01 is mandatory only for federal agencies, its principles serve as a best-practice model, encouraging organizations worldwide to adopt similar strategies.

Moreover, this retirement emphasizes the importance of partnership. Since issuing these directives, CISA has collaborated closely with agencies to drive remediation, embed best practices, and overcome systemic challenges. The result is a more resilient digital infrastructure, better equipped to withstand the multiplying risks from cybercriminals and nation-states. In an era where cyber threats evolve rapidly - from ransomware to AI-driven attacks - such milestones reinforce the need for continuous adaptation.

Looking Ahead: Strengthening Defenses

As cyber threats continue to escalate, CISA remains vigilant. The agency will continue issuing new directives when necessary to mandate swift action against unacceptable risks. However, the integration into BOD 22-01 allows for a more sustainable framework, reducing the need for emergency measures by addressing vulnerabilities proactively through the KEV catalog.

For federal agencies, this means ongoing compliance with BOD 22-01, including regular scans, timely patching, and reporting. For the broader cybersecurity community, it serves as a reminder of the value in prioritizing exploited vulnerabilities over theoretical risks. Ultimately, CISA's actions pave the way for a safer digital future, where enhanced mitigation efforts protect not just government systems but the nation's critical infrastructure as a whole.

In conclusion, the retirement of these ten Emergency Directives is a testament to the progress made in federal cybersecurity. It celebrates the hard work of countless professionals who have turned urgent mandates into lasting protections, setting a strong foundation for the challenges ahead.