The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has retired 10 Emergency Directives issued between 2019 and 2024, saying that the required actions have been completed or are now covered by Binding Operational Directive 22-01.

CISA said this is the largest number of Emergency Directives it has closed at one time.

“By statute, CISA issues Emergency Directives to rapidly mitigate emerging threats and to minimize the impact by limiting directives to the shortest time possible,” explains CISA.

“Following a comprehensive review of all active directives, CISA determined that required actions have been successfully implemented or are now encompassed through Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities. “

Binding Operational Directive 22-01 uses the agency’s Known Exploited Vulnerabilities (KEV) catalog to alert federal civilian agencies of actively exploited flaws and when systems must be patched against them.

Emergency Directives are meant to address urgent risks and remain in place only as long as needed.

The complete list of Emergency Directives closed today is:

• ED 19-01: Mitigate DNS Infrastructure Tampering
• ED 20-02: Mitigate Windows Vulnerabilities from January 2020 Patch Tuesday
• ED 20-03: Mitigate Windows DNS Server Vulnerability from July 2020 Patch Tuesday
• ED 20-04: Mitigate Netlogon Elevation of Privilege Vulnerability from August 2020 Patch Tuesday
• ED 21-01: Mitigate SolarWinds Orion Code Compromise
• ED 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities
• ED 21-03: Mitigate Pulse Connect Secure Product Vulnerabilities
• ED 21-04: Mitigate Windows Print Spooler Service Vulnerability
• ED 22-03: Mitigate VMware Vulnerabilities
• ED 24-02: Mitigating the Significant Risk from Nation-State Compromise of Microsoft Corporate Email System

Many of those directives addressed vulnerabilities that were exploited quickly and are now part of CISA’s KEV catalog.

Under BOD 22-01, federal civilian agencies are required to patch vulnerabilities listed in the KEV catalog by specific dates set by CISA. By default, agencies have up to six months to fix flaws assigned to CVEs before 2021, with newer flaws fixed within two weeks.

However, CISA can set significantly shorter patching timelines when deemed high risk.

In a recent example, agencies were required to patch Cisco devices affected by the actively exploited CVE-2025-20333 and CVE-2025-20362 vulnerabilities within one day.