Jan 9
/
Latest News
CISA Retires Ten Emergency Directives as Federal Cybersecurity Matures
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced Thursday the formal retirement of ten high-profile Emergency Directives (EDs) issued between 2019 and 2024.
The move signals that the immediate threats addressed by these orders—which included landmark incidents like the SolarWinds Orion compromise and critical Microsoft Exchange vulnerabilities—have been sufficiently mitigated across Federal Civilian Executive Branch (FCEB) agencies. By closing these directives, CISA is shifting its focus from crisis response for these specific events toward long-term, resilient infrastructure management.
The list of retired directives covers some of the most significant cybersecurity challenges of the past five years. Notable closures include ED 21-01, issued in response to the SolarWinds supply chain attack; ED 21-02, which addressed widespread on-premises Microsoft Exchange vulnerabilities; and the more recent ED 24-02, regarding nation-state compromises of Microsoft’s corporate email systems. These directives were originally designed to force rapid remediation of vulnerabilities that posed "unacceptable risks" to the federal enterprise, particularly those linked to hostile nation-state actors.
CISA attributed the closures to a successful collaborative effort with federal agencies to implement required security actions and incorporate best practices into daily operations. The agency noted that the protections mandated by these individual emergency orders are now largely enforced through more permanent frameworks, specifically Binding Operational Directive (BOD) 22-01. This "Known Exploited Vulnerabilities" catalog serves as a continuous requirement for agencies to patch validated security flaws, effectively absorbing the temporary mandates of the retired EDs into a standardized federal protocol.
"The closure of these ten Emergency Directives reflects CISA’s commitment to operational collaboration across the federal enterprise," said CISA Acting Director Madhu Gottumukkala. He emphasized that as the operational lead for federal cybersecurity, the agency's role is to leverage its authority to defend against persistent access and emerging threats. The retirement of these orders serves as a benchmark for how federal cyber-defense has transitioned from reactive "firefighting" to a more sustainable, proactive posture.
Looking toward the future, the agency intends to double down on its "Secure by Design" initiative, which urges software manufacturers to take greater responsibility for the security of their products before they reach the consumer. By prioritizing transparency, configurability, and interoperability, CISA aims to reduce the need for future emergency directives altogether. The goal is to build a federal environment where security is a foundational element of the technology stack rather than a series of urgent patches applied after a crisis has already begun.
The move signals that the immediate threats addressed by these orders—which included landmark incidents like the SolarWinds Orion compromise and critical Microsoft Exchange vulnerabilities—have been sufficiently mitigated across Federal Civilian Executive Branch (FCEB) agencies. By closing these directives, CISA is shifting its focus from crisis response for these specific events toward long-term, resilient infrastructure management.
The list of retired directives covers some of the most significant cybersecurity challenges of the past five years. Notable closures include ED 21-01, issued in response to the SolarWinds supply chain attack; ED 21-02, which addressed widespread on-premises Microsoft Exchange vulnerabilities; and the more recent ED 24-02, regarding nation-state compromises of Microsoft’s corporate email systems. These directives were originally designed to force rapid remediation of vulnerabilities that posed "unacceptable risks" to the federal enterprise, particularly those linked to hostile nation-state actors.
CISA attributed the closures to a successful collaborative effort with federal agencies to implement required security actions and incorporate best practices into daily operations. The agency noted that the protections mandated by these individual emergency orders are now largely enforced through more permanent frameworks, specifically Binding Operational Directive (BOD) 22-01. This "Known Exploited Vulnerabilities" catalog serves as a continuous requirement for agencies to patch validated security flaws, effectively absorbing the temporary mandates of the retired EDs into a standardized federal protocol.
"The closure of these ten Emergency Directives reflects CISA’s commitment to operational collaboration across the federal enterprise," said CISA Acting Director Madhu Gottumukkala. He emphasized that as the operational lead for federal cybersecurity, the agency's role is to leverage its authority to defend against persistent access and emerging threats. The retirement of these orders serves as a benchmark for how federal cyber-defense has transitioned from reactive "firefighting" to a more sustainable, proactive posture.
Looking toward the future, the agency intends to double down on its "Secure by Design" initiative, which urges software manufacturers to take greater responsibility for the security of their products before they reach the consumer. By prioritizing transparency, configurability, and interoperability, CISA aims to reduce the need for future emergency directives altogether. The goal is to build a federal environment where security is a foundational element of the technology stack rather than a series of urgent patches applied after a crisis has already begun.
Executive IT Forums, Inc.
Educational Programs on Information Technology, Governance, Risk Management, & Compliance (GRC).
Our Newsletter
Get regular updates on CPE programs, news, and more.
Thank you!
Copyright © 2026 Executive IT Forums, Inc. All Rights Reserved.
Get started
Let us introduce our school
Write your awesome label here.