CISA BOD 22-01 Known Exploited Vulnerabilities — November 3, 2021

Directive Overview

On 3 November 2021, the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 22-01, requiring US federal civilian executive branch agencies to remediate vulnerabilities listed in the Known Exploited Vulnerabilities (KEV) Catalog within aggressive deadlines. The directive requires agencies establish ongoing processes for monitoring KEV updates, reporting compliance status, and prioritizing remediation efforts based on active exploitation evidence.

While the directive formally applies only to federal civilian agencies, it has become a de facto benchmark for private sector patch management programs. Organizations across industries reference the KEV Catalog to focus on patching activities, recognizing that vulnerabilities with confirmed exploitation represent higher immediate risk than those without exploitation evidence. Many regulatory frameworks and cyber insurance questionnaires now reference KEV compliance as an indicator of vulnerability management maturity.

BOD 22-01 represents a shift from annual vulnerability assessment requirements to continuous vulnerability management with specific remediation deadlines tied to exploitation evidence. This approach acknowledges that the vast number of published CVEs makes risk-based prioritization essential, and active exploitation provides a concrete signal of real-world attacker interest and capability.

KEV Catalog and Addition Criteria

CISA maintains the KEV Catalog as a living dataset, adding vulnerabilities that meet three criteria: a CVE identifier assigned by a CVE Numbering Authority, evidence of active exploitation in the wild, and availability of remediation guidance such as vendor patches or specific mitigation actions. Each catalog entry includes the CVE identifier, vendor/project, product, vulnerability name, date added, and a due date for remediation.

The catalog currently contains over 1,100 vulnerabilities spanning diverse products including operating systems, applications, network devices, and industrial control systems. New entries are added as exploitation evidence emerges, sometimes within days of initial disclosure for high-profile vulnerabilities. CISA announces updates via alerts, email notifications, and JSON/CSV feeds that organizations can consume programmatically.

Vulnerabilities remain in the catalog indefinitely unless removed due to determination that the entry was erroneous. The catalog does not age out vulnerabilities based on time since disclosure, recognizing that unpatched systems may remain vulnerable to exploitation regardless of vulnerability age. This approach highlights the importance of full asset inventory and vulnerability management programs that address both new and legacy systems.

Remediation Requirements and Timelines

BOD 22-01 establishes differentiated remediation timelines based on when vulnerabilities were added to the catalog. For vulnerabilities added after directive issuance, agencies must remediate within two weeks of the addition date. The directive also established initial due dates for historical vulnerabilities present in the catalog at issuance, generally allowing six months for remediation. Specific due dates appear in each catalog entry and may be shortened for particularly severe vulnerabilities.

Remediation means applying the vendor's patch, update, or other fix that addresses the vulnerability. Where patches are unavailable, agencies must apply compensating controls consistent with vendor guidance or CISA recommendations. If no remediation exists and the system cannot be adequately protected, agencies should consider discontinuing use of the affected system or accepting the risk through a formal exception process with documented justification.

Agencies must enumerate assets affected by KEV entries and provide status information to CISA through the Continuous Diagnostics and Mitigation (CDM) program dashboard. Compliance reporting enables CISA to track progress across the federal enterprise and identify agencies requiring additional support or resources to meet remediation deadlines. Regular reporting also helps trend analysis and identification of systemic challenges.

Implementation Controls

• Automated catalog ingestion: Integrate KEV feeds into vulnerability management platforms to automatically tag vulnerabilities requiring speed up remediation. Configure SIEM correlation rules and dashboards to highlight KEV-related findings and track remediation progress across the enterprise.
• Asset criticality mapping: Maintain asset inventories with business criticality ratings to focus on remediation when multiple KEV entries affect the environment. Document risk acceptance decisions when immediate remediation is not feasible due to operational constraints.
• Patch orchestration: Implement change management workflows accommodating emergency patch windows with pre-approved maintenance periods and rollback procedures. Maintain test environments to validate patches before production deployment and reduce deployment risk.
• Exception management: Establish formal processes for documenting temporary mitigations when immediate patching is infeasible, including compensating controls, acceptance authority, review timelines, and plans for full remediation.
• Validation and reporting: Use vulnerability scanners and configuration management databases to verify remediation completion. Generate compliance dashboards for executive oversight and audit evidence demonstrating program effectiveness.

Private Sector Adoption

Many private sector organizations have adopted the KEV Catalog as a prioritization input for their vulnerability management programs. Cyber insurance questionnaires now ask about KEV remediation practices, and regulatory frameworks reference exploitation evidence as a factor in assessing patching timeliness. Security rating services and third-party risk assessments may evaluate KEV exposure as an indicator of security posture.

If you are affected, consider formalizing KEV integration into their vulnerability management policies, establishing internal remediation SLAs aligned with or exceeding the federal timelines. Regular reporting on KEV compliance status to security leadership and audit committees shows governance maturity and supports risk management objectives. Board-level visibility into KEV metrics reinforces organizational commitment to preventive security.

Supply chain security considerations also favor KEV awareness. Organizations evaluating vendor security should inquire about KEV remediation practices as part of third-party risk assessments. Contractual requirements for timely vulnerability remediation, referencing KEV timelines, help ensure that supply chain partners maintain adequate security posture and reduce inherited risk exposure.

Integration with Security Operations

Security operations centers should integrate KEV monitoring into daily workflows, ensuring that new catalog additions trigger immediate assessment and remediation planning. Playbooks should define escalation procedures, communication templates, and approval workflows for emergency patching. Collaboration between vulnerability management, incident response, and IT operations teams ensures coordinated remediation efforts.

Threat intelligence feeds can complement KEV data by providing context on exploitation methods, threat actor activity, and potential attack vectors. This intelligence helps security teams focus on among multiple KEV entries and allocate resources effectively. Integration with SIEM platforms enables correlation of KEV vulnerabilities with observed indicators of compromise.

Metrics tracking should capture key performance indicators including mean time to remediate KEV vulnerabilities, percentage of systems patched within SLA, and exception volume and aging. Regular reporting to security leadership and executive teams shows program effectiveness and supports resource allocation decisions. Trend analysis identifies systemic challenges requiring process improvement.

Summary

BOD 22-01 and the KEV Catalog have fundamentally changed vulnerability prioritization practices across both government and private sectors. Organizations that integrate KEV monitoring into mature vulnerability management programs can significantly reduce exposure to actively exploited vulnerabilities and show security due diligence to teams, regulators, and business partners.

Similar analysis

Additional analysis covering similar themes.

Cybersecurity · Credibility 94/100 · December 9, 2021

Apache Log4Shell (CVE-2021-44228) critical RCE disclosed

Log4Shell broke the internet on December 9, 2021. CVE-2021-44228 in Log4j let attackers run code remotely just by getting a string logged. Every Java app using Log4j was potentially vulnerable. This one kept security…

Cybersecurity · Credibility 87/100 · January 26, 2022

Security Strategy — OMB M-22-09 Federal Zero Trust Mandate

OMB Memorandum M-22-09 set a 2024 deadline for U.S. federal zero-trust adoption, pushing agencies and contractors to deliver operational migrations, governance checkpoints, and sourcing for secure services.

Cybersecurity · Credibility 94/100 · May 5, 2022

NIST SP 800-161 Rev. 1 supply chain risk management

On 5 May 2022 NIST published SP 800-161 Revision 1, providing updated guidance for identifying, assessing, and mitigating cybersecurity supply chain risks in federal systems.

Cybersecurity · Credibility 94/100 · March 2, 2021

Microsoft Exchange HAFNIUM zero-day exploitation

On 2 March 2021 Microsoft disclosed that Chinese state-sponsored actors exploited four zero-day vulnerabilities in Exchange Server to compromise tens of thousands of organizations worldwide.

Cybersecurity · Credibility 91/100 · October 15, 2020

CISA Zero Trust Maturity Model Release

CISA released its Zero Trust Maturity Model, giving agencies a roadmap from traditional perimeter security to zero trust. Five pillars: identity, device, network, application, and data—each with four maturity stages.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Cybersecurity Operations Playbook

  Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

• Network Security Fundamentals Explained Practically

  A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

• Small Business Cybersecurity Survival Checklist

  A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…

Coverage intelligence

Published

November 3, 2021

Coverage pillar

Cybersecurity

Source credibility

92/100 — high confidence

Topics

CISA BOD 22-01 · Known exploited vulnerabilities · Patch management · Federal cybersecurity · Risk prioritization

Sources cited

2 sources (cisa.gov)

Reading time

5 min

Further reading

1. Binding Operational Directive 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities — Cybersecurity and Infrastructure Security Agency
2. Known Exploited Vulnerabilities Catalog — Cybersecurity and Infrastructure Security Agency