Cybersecurity Directives

This page and all content is transitioning to CISA.gov/directives. While this transition occurs, previously posted content will remain here, but all new products are being posted on CISA.gov/directives.

The Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security (DHS) develops and oversees the implementation of “binding operational directives” and “emergency directives,” which require action on the part of certain federal agencies in the civilian Executive Branch.

Emergency Directives

• ED 21-04 - Mitigate Windows Print Spooler Service Vulnerability
• ED 21-03 - Mitigate Pulse Connect Secure Product Vulnerabilities
• ED 21-02 - Mitigate Microsoft Exchange On-Premises Product Vulnerabilities
• ED 21-01 - Mitigate SolarWinds Orion Code Compromise
• ED 20-04 - Mitigate Netlogon Elevation of Privilege Vulnerability from August 2020 Patch Tuesday
• ED 20-03 - Mitigate Windows DNS Server Vulnerability from July 2020 Patch Tuesday
• ED 20-02 - Mitigate Windows Vulnerabilities from January 2020 Patch Tuesday
• ED 19-01 - Mitigate DNS Infrastructure Tampering

Binding Operational Directives

• BOD 22-01 - Reducing the Significant Risk of Known Exploited Vulnerabilities
• BOD 20-01 - Develop and Publish a Vulnerability Disclosure Policy
• BOD 19-02 - Vulnerability Remediation Requirements for Internet-Accessible Systems
• BOD 18-02 - Securing High Value Assets
• BOD 18-01 - Enhance Email and Web Security
• BOD 17-01 - Removal of Kaspersky-branded Products
• BOD 16-03 - 2016 Agency Cybersecurity Reporting Requirements
• BOD 16-02 - Threat to Network Infrastructure Devices
• BOD 16-01 - Securing High Value Assets (Revoked)
• BOD 15-01 - Critical Vulnerability Mitigation (Revoked)