On January 8, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) officially closed 10 Emergency Directives that were issued to federal agencies between 2019 and 2024. These EDs were originally deployed to force rapid, high-priority defensive actions against some of the most serious cybersecurity threats facing the Federal Civilian Executive Branch (FCEB).
The full list of retired EDs includes:
- ED 19-01: Mitigate DNS Infrastructure Tampering
- ED 20-02 / 20-03 / 20-04: Multiple Windows vulnerabilities (Patch Tuesday issues, DNS, Netlogon/Zerologon)
- ED 21-01: Mitigate SolarWinds Orion code compromise
- ED 21-02: Mitigate Microsoft Exchange On-Premises vulnerabilities
- ED 21-03 / 21-04: Pulse Connect Secure and Windows Print Spooler vulnerabilities
- ED 22-03: Mitigate VMware vulnerabilities
- ED 24-02: Mitigating risk from a nation-state compromise of Microsoft corporate email system
What This Means Technically
1. Directives Have Been Completed or Superseded
CISA determined that the required action items in these EDs have either been fully implemented by agencies or are now managed under other enduring programs, notably the Known Exploited Vulnerabilities (KEV) catalog and Binding Operational Directive (BOD) 22-01. Under BOD 22-01, any vulnerability added to the KEV catalog carries a mandatory remediation timeline for federal agencies (often as short as weeks or even days for critical flaws).
This means federal cybersecurity expectations remain strong, but no longer need separate emergency directives for each issue—because their ongoing vulnerability management frameworks now cover the same risk surface.
2. ED 21-01 (SolarWinds Orion) Has Been Sun-Set
- ED 21-01 was originally issued in December 2020 in response to the SolarWinds supply chain attack, where Russian-linked actors (likely Cozy Bear/APT29) injected malicious code into the SolarWinds Orion software build system. The compromise enabled broad access to U.S. government networks.
- The directive forced agencies to disconnect affected infrastructure, rebuild trusted systems, remove malicious artifacts, reset credentials, and report status back to CISA. These processes ensured that persistent footholds were removed and that enterprise logging and detection capabilities were improved.
CISA has now confirmed the remaining objectives of ED 21-01 have been met and is formally closing the directive.
3. ED 24-02 (Microsoft Corporate Email Compromise) Is Closed Too
ED 24-02 was issued in response to a 2024 breach involving compromised Microsoft corporate email accounts, where threat actors gained access to internal email infrastructure. Agencies were ordered to investigate any impact, reset credentials, and implement stronger identity protections.
CISA’s closure of ED 24-02 confirms that the technical and operational actions required have been satisfied, and risks have been sufficiently mitigated under existing defensive controls.
Why CISA Is Doing This Now
Operation vs. Emergency Remediation
Emergency Directives are not permanent policies—they exist to address a high-urgency risk where standard remediation timelines are insufficient. Once those actions are complete or integrated into ongoing programs, they can be retired.
KEV + BOD 22-01 Holds the Fort
Many of the retired EDs originally addressed vulnerabilities that are now tracked in the Known Exploited Vulnerabilities (KEV) catalog. Under BOD 22-01, agencies must patch systems where KEV vulnerabilities are present, typically within very tight deadlines.
Stronger Continuous Risk Management
CISA’s approach is shifting from event-driven emergency responses to sustained risk management, including robust threat hunting, logging/monitoring improvements, and Zero Trust controls embedded across federal networks.
Practical Implications for Security Teams
- Federal agencies must continue to meet KEV patching timelines and follow BOD 22-01 enforcement.
- Retirement of an ED does not mean the risk is gone forever—it means the vulnerability is now governed by baseline requirements.
- Lessons from SolarWinds, Microsoft, and other incidents are being folded into enterprise detection, identity protection, and secure supply chain controls rather than one-off remediations.
