Cybersecurity Directives


The Cybersecurity and Infrastructure Security Agency (CISA)  develops and oversees the implementation of “binding operational directives” and “emergency directives,” which require action on the part of certain federal agencies in the civilian Executive Branch.

Emergency Directive 22-02: Mitigate Apache Log4J Vulnerability

Emergency Directives

  • ED 22-03 - Mitigate VMWare Vulnerabilities
  • ED 22-02 - Mitigate Apache Log4J Vulnerability (Closed)
  • ED 21-04 - Mitigate Windows Print Spooler Service Vulnerability
  • ED 21-03 - Mitigate Pulse Connect Secure Product Vulnerabilities
  • ED 21-02 - Mitigate Microsoft Exchange On-Premises Product Vulnerabilities
  • ED 21-01 - Mitigate SolarWinds Orion Code Compromise
  • ED 20-04 - Mitigate Netlogon Elevation of Privilege Vulnerability from August 2020 Patch Tuesday
  • ED 20-03 - Mitigate Windows DNS Server Vulnerability from July 2020 Patch Tuesday
  • ED 20-02 - Mitigate Windows Vulnerabilities from January 2020 Patch Tuesday 
  • ED 19-01 - Mitigate DNS Infrastructure Tampering

Binding Operational Directives

  • BOD 22-01 - Reducing the Significant Risk of Known Exploited Vulnerabilities 
  • BOD 20-01 - Develop and Publish a Vulnerability Disclosure Policy
  • BOD 19-02 - Vulnerability Remediation Requirements for Internet-Accessible Systems
  • BOD 18-02 - Securing High Value Assets
  • BOD 18-01 - Enhance Email and Web Security
  • BOD 17-01 - Removal of Kaspersky-branded Products
  • BOD 16-03 - 2016 Agency Cybersecurity Reporting Requirements
  • BOD 16-02 - Threat to Network Infrastructure Devices
  • BOD 16-01 - Securing High Value Assets (Revoked)
  • BOD 15-01 - Critical Vulnerability Mitigation (Revoked)

Was this webpage helpful?  Yes  |  Somewhat  |  No