Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday said it's retiring 10 emergency directives (Eds) that were issued between 2019 and 2024. The list of the directives now considered closed is as follows - ED 19-01: Mitigate DNS Infrastructure Tampering ED 20-02: Mitigate Windows Vulnerabilities from January 2020 Patch Tuesday ED 20-03: Mitigate Windows DNS Server
Analysis Summary
# Regulation/Compliance: Retirement of CISA Emergency Directives (EDs) 2019-2024
## Overview
This summary pertains to the official retirement of ten specific **CISA Emergency Directives (EDs)** that were issued between 2019 and 2024. These directives mandated immediate actions for Federal Civilian Executive Branch (FCEB) agencies to mitigate severe, actively exploited cybersecurity risks. The retirement signifies that CISA deems the risks addressed, either through successful implementation by agencies or by transition to standing, ongoing directives (specifically BOD 22-01).
## Key Details
- Issuing Authority: Cybersecurity and Infrastructure Security Agency (CISA)
- Effective Date: The actual dates of issuance varied between 2019 and 2024. The retirement date is stated as "Thursday" relative to the article publication (Jan 9, 2026).
- Jurisdiction: U.S. Federal Civilian Executive Branch (FCEB) agencies.
- Status: **Closed/Retired**. The threat mitigation actions detailed in these specific EDs are no longer mandated under those specific directive numbers.
## Requirements
### Mandatory Requirements (Historical Context for Retired Directives)
The mandatory requirements of the *retired* EDs were technical mandates related to specific vulnerabilities and infrastructure protection. Organizations succeeding in compliance would have already met these:
1. **Mitigate DNS Infrastructure Tampering (ED 19-01):** Implement controls to prevent tampering with critical DNS infrastructure.
2. **Mitigate Specific Windows Vulnerabilities (ED 20-02, ED 20-03, ED 20-04):** Apply specific patches released around January, July, and August 2020, targeting vulnerabilities in Windows DNS Server, DNS Infrastructure, and Netlogon components, respectively.
3. **Mitigate Supply Chain/Product Compromises (ED 21-01, ED 21-02, ED 21-03, ED 21-04, ED 22-03):** Immediately apply vendor-supplied mitigations for high-risk vulnerabilities in products such as SolarWinds Orion, Microsoft Exchange On-Premises, Pulse Connect Secure, Windows Print Spooler Service, and VMware products.
4. **Mitigate Nation-State Compromises (ED 24-02):** Address and remediate risks associated with nation-state compromise targeting Microsoft corporate email systems.
### Recommended Practices (Current State)
1. **Transition to BOD 22-01:** Organizations must ensure that the remediation efforts initiated under these EDs are now sustained, managed, and enforced under the standing **Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities (KEVs).**
2. **Adopt Secure by Design Principles:** Prioritize security transparency, configurability, and interoperability in future system acquisitions and operational processes, as advocated by CISA.
## Affected Organizations
- Industries: Primarily **Federal Civilian Executive Branch (FCEB) Agencies** of the U.S. Government.
- Organization Size: Not explicitly detailed, but these mandates applied organization-wide within the FCEB.
- Geographic Scope: United States Federal Executive Branch departments and agencies.
## Compliance Timeline
The required actions for these specific EDs have concluded (are **Closed**).
- **Issuance Period:** 2019 through 2024.
- **Mandate Resolution:** Required actions were either completed by agencies or transitioned to standing enforcement mechanisms (BOD 22-01).
- **Final Deadline:** The deadlines for remediation under *these specific EDs* have passed and are now considered met or superseded.
## Implementation Guidance
### Assessment Phase
- **Review Closure Documentation:** Confirm that the agency has officially documented the successful remediation for each of the 10 retired directives as mandated by CISA’s internal reporting structures.
### Implementation Phase
- **Verification of BOD 22-01 Alignment:** Ensure that the vulnerabilities addressed by these historical EDs are now tracked and managed under the continuous monitoring and prioritization required by BOD 22-01 for Known Exploited Vulnerabilities (KEVs).
### Validation Phase
- **Internal Audit:** Conduct internal audits to confirm that specific technical remediation actions taken between 2019 and 2024 remain effective and have not been re-introduced through system changes.
## Technical Requirements
The historical technical requirements centered on:
1. Applying specific vendor patches immediately (for Windows, Netlogon, Exchange, Pulse Secure, VMware).
2. Hardening DNS infrastructure against tampering.
3. Comprehensive identification and removal of compromise artifacts related to specific supply chain incidents (e.g., SolarWinds).
## Penalties & Enforcement
The enforcement and penalty structure discussed relates to the *original* directives and their underlying authority:
- Fines: Not explicitly detailed in the article, but non-compliance with CISA Emergency Directives typically results in mandatory corrective action orders from the OMB, often backed by statutory authority.
- Other Consequences: Failure to comply with EDs imposes severe operational risk and risks potential disciplinary or remedial actions directed by CISA and the Office of Management and Budget (OMB).
- Enforcement: Enforcement authority stems from CISA’s role as the operational lead for federal cybersecurity, leveraging authorities to enforce mitigations against unacceptable risks, particularly those posed by nation-state actors.
## Related Standards
- **Binding Operational Directive (BOD) 22-01:** This is the successor framework for managing high-risk vulnerabilities that superseded many of the immediate patching requirements of the retired EDs.
- **Secure by Design Principles:** CISA's generalized strategy emphasizing fundamental security design elements (transparency, configurability, interoperability).
## Resources
- Official Documentation: CISA official announcements detailing the closure of ED 19-01, ED 20-02, ED 20-03, ED 20-04, ED 21-01, ED 21-02, ED 21-03, ED 21-04, ED 22-03, and ED 24-02 (Consult CISA website for links to these closed directives).
- Guidance Documents: Announcements regarding BOD 22-01 provide the current compliance standard.
## Practical Recommendations
1. **Acknowledge Closure:** Recognize that the specific timelines tied to these ten EDs are concluded.
2. **Confirm Transition:** Agencies must document and verify that the previously required remediation actions are stably managed under the permanent compliance structure of BOD 22-01.
3. **Reduce Legacy Overhead:** The retirement allows agencies to formally close documentation related to these 10 specific emergency actions, streamlining audit and reporting efforts.