The Cybersecurity Infrastructure and Security Agency (CISA) announced Thursday that it has retired 10 emergency directives (ED) issued in the last six years, saying that the directives have been successfully addressed.
CISA officials described the retirement as the largest the agency has undertaken at a single time.
“As the operational lead for federal cybersecurity, CISA leverages its authorities to strengthen federal systems and defend against unacceptable risks, especially those related to hostile nation-state actors,” said Madhu Gottumukkala, CISA acting director, in a statement. “When the threat landscape demands it, CISA mandates swift, decisive action by Federal Civilian Executive Branch agencies and continues to issue directives as needed to drive timely cyber risk reduction across federal enterprise.”
“The closure of these 10 Emergency Directives reflects CISA’s commitment to operational collaboration across the federal enterprise,” Gottumukkala added.
Of the 10 emergency directives retired, seven were issued to require federal agencies to patch and mitigate specific known vulnerabilities. CISA said those vulnerabilities are now included in its Known Exploited Vulnerabilities catalog, and they don’t need to be standalone directives.
The other three were retired because CISA officials “determined that their objectives were achieved, requirements no longer align with the current risk posture, and changes in practices have rendered the directives obsolete.”
Specifically, ED 1901, 2101, and 2402 were in response to active compromise activity, tampering, or high-risk intrusion campaigns.
All directives were issued between 2019 and 2024.
Gottumukkala reiterated CISA’s commitment to advancing Secure by Design principles with the retirement of its directives, saying that the agency will be “prioritizing transparency, configurability, and interoperability?- so?every?organization?can?better defend their diverse environments.”?