A news release from CISA said Thursday the agency is retiring 10 Emergency Directives issued between 2019 and 2024 and that required actions have been implemented or are enforced through Binding Operational Directive 22-01.
KEY FACTS
- Action Retirement of 10 Emergency Directives
- Timeframe Directives issued from 2019 to 2024
- Enforcement Required actions implemented or covered by BOD 22-01
- Examples ED 21-01 SolarWinds and ED 24-02 Microsoft corporate email compromise
The ten closed directives are ED 19-01, ED 20-02, ED 20-03, ED 20-04, ED 21-01, ED 21-02, ED 21-03, ED 21-04, ED 22-03, and ED 24-02.
The directives addressed DNS infrastructure tampering, multiple Windows vulnerabilities, a SolarWinds Orion code compromise, Microsoft Exchange on-premises vulnerabilities, Pulse Connect Secure flaws, Windows Print Spooler issues, and VMware vulnerabilities.
Federal Civilian Executive Branch agencies worked on remediation steps and adopted best practices to close the directives.
Guidance moving forward emphasizes Secure by Design principles such as transparency, configurability, and interoperability to improve resilience.
WHY IT MATTERS
Shifting enforcement to a standing Binding Operational Directive and closing these emergency orders signals that the specified federal mitigations are in place or are covered by broader vulnerability management rules. Agencies with affected systems should verify mitigations remain implemented.