January 12, 2026 — The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has retired 10 Emergency Directives (EDs) issued between 2019 and 2024 — marking the largest single retirement wave in agency history and a major milestone for federal cybersecurity maturity. Announced on January 8, 2026 (with formal updates continuing into January 10), this action confirms that the urgent mitigations required by these directives have been successfully implemented across Federal Civilian Executive Branch (FCEB) agencies or fully incorporated into Binding Operational Directive (BOD) 22-01 (Reducing the Significant Risk of Known Exploited Vulnerabilities). The retired EDs addressed some of the most severe and widely exploited vulnerabilities in recent years, including the SolarWinds supply-chain compromise, Microsoft Exchange ProxyLogon, Log4Shell, VMware vCenter flaws, Pulse Secure VPN issues, PrintNightmare, and others. This shift from reactive emergency orders to sustained, long-term requirements frees resources for emerging threats like AI-enhanced attacks, ransomware evolution, and cloud misconfigurations in 2026.

Which 10 Emergency Directives Were Retired?

The retired directives span critical incidents that once required immediate federal action:

• ED 19-01 – Mitigate DNS Infrastructure Tampering (No specific CVE; focused on DNS tampering campaign and credential compromise)
• ED 20-02 – Mitigate Windows Vulnerabilities from January 2020 Patch Tuesday (CVE-2020-0601)
• ED 20-03 – Mitigate Windows DNS Server Vulnerability from July 2020 Patch Tuesday (CVE-2020-1350)
• ED 20-04 – Mitigate Netlogon Elevation of Privilege Vulnerability from August 2020 Patch Tuesday (CVE-2020-1472)
• ED 21-01 – Mitigate SolarWinds Orion Code Compromise (No specific CVE; supply chain compromise with backdoor)
• ED 21-02 – Mitigate Microsoft Exchange On-Premises Product Vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)
• ED 21-03 – Mitigate Pulse Connect Secure Product Vulnerabilities (CVE-2021-22893, CVE-2021-22900, CVE-2021-22894, CVE-2020-8243)
• ED 21-04 – Mitigate Windows Print Spooler Service Vulnerability (CVE-2021-34527)
• ED 22-03 – Mitigate VMware Vulnerabilities (CVE-2022-22954, CVE-2022-22960, CVE-2022-22972, CVE-2022-22973)
• ED 24-02 – Mitigating the Significant Risk from Nation-State Compromise of Microsoft Corporate Email System (No specific CVE; focused on nation-state compromise and email exfiltration)

Seven of these were tied to specific Common Vulnerabilities and Exposures (CVEs) now tracked in CISA’s Known Exploited Vulnerabilities (KEV) catalog. The remaining three were closed because their objectives were achieved, risk postures evolved, and practices rendered them obsolete.

Why This Retirement Wave Matters in 2026

This largest-ever batch retirement reflects key advancements in federal cyber posture:

• Integration into BOD 22-01 — BOD 22-01 now serves as the authoritative, ongoing mechanism for vulnerability remediation, mandating agencies to address KEVs within strict timelines (e.g., 2 weeks for most new entries, 6 months for older CVEs).
• Neutralization of Legacy Threats — Vulnerabilities like SolarWinds, Exchange ProxyLogon, Log4Shell, and VMware flaws have been patched for years and are no longer primary active exploitation vectors in most environments.
• Resource Reallocation — Closing completed directives allows CISA and agencies to prioritize current high-risk areas: AI-powered attacks, ransomware-as-a-service, cloud misconfigurations, and nation-state campaigns.
• Proof of Maturity — The scale of this retirement demonstrates improved federal patching speed, better vulnerability management processes, and stronger overall cyber hygiene — a direct result of years of collaboration and implementation.

Action Steps for Organizations

While federal agencies have met these requirements, private sector, critical infrastructure, and state/local entities should:

• Audit legacy systems — Verify that all instances of retired vulnerabilities (SolarWinds, Exchange, Log4Shell, VMware, etc.) are patched or decommissioned.
• Align with BOD 22-01 — Adopt automated scanning, timely patching (within CISA’s KEV deadlines), and compensating controls where immediate fixes are impractical.
• Monitor the KEV Catalog — Regularly check CISA’s Known Exploited Vulnerabilities list for new high-risk entries added within 24 hours of exploitation evidence.
• Strengthen defenses — Implement zero-trust architecture, AI-enhanced threat detection, automated remediation, and Secure by Design principles to address 2026 threats.
• Report and collaborate — Participate in information sharing with CISA and industry partners to stay ahead of evolving risks.

Looking Ahead

The retirement of these 10 Emergency Directives marks a deliberate shift from short-term crisis response to sustainable, long-term cybersecurity resilience. While legacy threats are being retired, the cyber landscape remains dynamic — with AI acceleration, ransomware sophistication, supply-chain risks, and nation-state actors driving new challenges. Organizations that treat BOD 22-01 and the KEV catalog as foundational elements of their strategy will be best positioned to mitigate risk in 2026 and beyond.

“The retirement of these ten Emergency Directives reflects CISA’s commitment to operational collaboration across the federal enterprise and our ongoing efforts to transition from reactive emergency response to proactive, enduring vulnerability management. By integrating these critical mitigations into BOD 22-01, we are ensuring agencies maintain a consistent, long-term approach to reducing significant risk from known exploited vulnerabilities.” CISA Acting Director Madhu Gottumukkala, January 10, 2026

Source and Full Details

For the complete list of retired directives and current BOD 22-01 requirements, visit the official CISA resources:

CISA Retires Ten Emergency Directives – Official Announcement

Binding Operational Directive 22-01 – Reducing the Significant Risk of Known Exploited Vulnerabilities

Known Exploited Vulnerabilities Catalog (KEV)