Ten Emergency Directives issued between 2019 and 2024 have been formally retired by the US Cybersecurity and Infrastructure Security Agency (CISA) following a review that found their objectives had been met.
The decision marks the most significant number of Emergency Directives closed at once and reflects changes in how cyber-risk is managed across federal civilian agencies.
The update follows CISA’s assessment that required remediation actions have either been fully implemented by Federal Civilian Executive Branch agencies or incorporated into Binding Operational Directive 22-01.
That standing directive addresses the ongoing risk posed by known exploited vulnerabilities (KEVs) and now serves as the primary mechanism for managing those issues.
From Temporary Mandates to Ongoing Controls
Emergency Directives are issued to address urgent and imminent threats and are intended to remain active only as long as necessary. CISA said sustained coordination with federal agencies helped resolve the underlying risks, embed cybersecurity best practices and reduce reliance on time-limited emergency measures.
“As the operational lead for federal cybersecurity, CISA leverages its authorities to strengthen federal systems and defend against unacceptable risks,” said acting director, Madhu Gottumukkala.
“The closure of these ten Emergency Directives reflects CISA’s commitment to operational collaboration across the federal enterprise.”
Several of the retired directives were linked to specific Common Vulnerabilities and Exposures (CVEs). Those issues are now tracked through CISA’s KEV catalog, which standardizes how agencies identify and remediate widely exploited flaws.
Emergency Directives Now Closed
The directives no longer in force include:
-
ED 19-01 addressing DNS infrastructure tampering
-
ED 20-02 through ED 20-04 related to Windows and Netlogon vulnerabilities
-
ED 21-01 through ED 21-04 covering SolarWinds Orion, Microsoft Exchange, Pulse Connect Secure and Windows Print Spooler
-
ED 22-03 focused on VMware vulnerabilities
-
ED 24-02 concerning the nation-state compromise of Microsoft corporate email systems
CISA said three of these directives (19-01, 21-01 and 24-02) were closed after determining their requirements no longer aligned with the current risk posture or operational practices.
Emergency Directives will continue to be issued when needed, but CISA emphasized long-term risk reduction increasingly relies on standardized directives and secure-by-design principles across federal systems.