The Cybersecurity and Infrastructure Security Agency has retired 10 emergency directives issued over a five-year period, signaling that the immediate risks the directives were designed to address have been mitigated.
The Potomac Officers Club’s 2026 Cyber Summit on May 21 convenes public- and private-sector cybersecurity professionals to review evolving threats and federal security requirements as agencies work toward the Department of War’s 2027 zero trust deadline. Register now to be part of the conversation!
Why Did CISA Retire the Emergency Directives?
CISA said Thursday that a review of all active emergency directives found them no longer necessary, noting that mandated actions have either been fully implemented or are now covered under Binding Operational Directive 22-01, which requires agencies to remediate flaws listed in CISA’s Known Exploited Vulnerabilities catalog.
Other directives were retired after changes in security practices and threat posture made the original requirements outdated.
“The closure of these ten Emergency Directives reflects CISA’s commitment to operational collaboration across the federal enterprise, said Madhu Gottumukkala, acting director at CISA. “Every day, CISA’s exceptional team works collaboratively with partners to eliminate persistent access, counter emerging threats, and deliver real-time mitigation guidance. Looking ahead, CISA continues to advance Secure by Design principles – prioritizing transparency, configurability, and interoperability - so every organization can better defend their diverse environments.”
Gottumukkala added that CISA will continue to issue emergency directives when conditions warrant “swift, decisive action,” particularly in response to nation-state cyber threats.
Which Emergency Directives Were Retired?
CISA confirmed the closure of the following emergency directives:
Legacy Infrastructure & System Threats
- ED 19-01: DNS infrastructure tampering
- ED 20-02: Windows vulnerabilities
- ED 20-03: Windows DNS server vulnerability
- ED 20-04: Netlogon elevation of privilege
- ED 21-04: Windows Print Spooler service vulnerability
Major Supply Chain & Software Compromises
- ED 21-01: SolarWinds Orion code compromise
- ED 21-02: Microsoft Exchange on-premises vulnerabilities
- ED 21-03: Pulse Connect Secure product vulnerabilities
- ED 22-03: VMware vulnerabilities
- ED 24-02: compromise of Microsoft corporate email accounts by Midnight Blizzard, a Russian state-sponsored cyber actor
