What Is CISA BOD 22-01?

What Is CISA BOD 22-01?

Binding Operational Directive 22-01, titled "Reducing the Significant Risk of Known Exploited Vulnerabilities," is a directive issued by the Cybersecurity and Infrastructure Security Agency (CISA) in November 2021 that requires all federal civilian executive branch (FCEB) agencies to remediate vulnerabilities that CISA has identified as actively exploited in the wild. The directive established the Known Exploited Vulnerabilities (KEV) catalog as the authoritative source for identifying these vulnerabilities and set mandatory remediation timelines for all federal agencies.

BOD 22-01 represented a significant shift in how the federal government approaches vulnerability prioritization. Rather than requiring agencies to remediate based on CVSS severity scores (which treat all critical vulnerabilities as equally urgent), the directive focuses on confirmed exploitation: vulnerabilities that attackers are actually using in real-world attacks. This exploitation-based prioritization model directs remediation effort toward the threats that pose the most immediate, demonstrated risk.

The directive applies to all FCEB agencies, covering hundreds of government organizations and their systems. While BOD 22-01 is not legally binding on state, local, tribal, and territorial (SLTT) governments or private-sector organizations, CISA strongly recommends that all organizations adopt the KEV catalog as a prioritization input. The directive has had outsized influence beyond its legal scope because the KEV catalog it established has become one of the most widely used threat intelligence sources in vulnerability management worldwide.

What the Directive Requires

Process Integration

BOD 22-01 establishes two primary requirements for federal agencies. First, agencies must review and update their internal vulnerability management procedures to address the KEV catalog within their existing processes. This means integrating KEV checks into scanning and prioritization workflows, establishing ownership and accountability for KEV remediation, and ensuring that the agency has the operational capacity to meet the directive's timelines.

Mandatory Remediation Timelines

Second, agencies must remediate each vulnerability in the KEV catalog by the due date specified in the catalog entry. When CISA adds a new CVE to the KEV, the entry includes a remediation due date, typically 14 to 21 days from the addition date for newly added entries. For the initial batch of CVEs added when the catalog launched, longer timelines were provided to account for the backlog. Agencies that cannot meet the deadline must document the delay, implement compensating controls, and establish a plan for completing remediation.

Reporting and Accountability

The directive requires agencies to report their remediation status through existing CISA reporting mechanisms. CISA uses this reporting to track government-wide compliance and identify agencies that need additional support or resources to meet the remediation requirements. The reporting requirement creates accountability that extends beyond individual agency security teams to agency leadership.

The KEV Catalog as an Enforcement Mechanism

How Catalog Additions Trigger Action

BOD 22-01 is enforced through the KEV catalog. When CISA adds a CVE to the catalog, it triggers a mandatory remediation clock for all federal agencies. The catalog addition includes the CVE identifier, affected vendor and product, a description, the required remediation action (typically "apply vendor update"), and the due date by which remediation must be complete.

Inclusion Criteria and Limitations

CISA's inclusion criteria require three conditions: the vulnerability must have a CVE identifier, there must be reliable evidence of active exploitation, and a clear remediation action (usually a vendor patch) must be available. The third criterion means that zero-day vulnerabilities without patches are not added to the KEV, even if they are being actively exploited. This limitation exists because the directive mandates remediation, and a mandate to remediate when no fix exists would be impossible to satisfy.

The catalog has grown steadily since its establishment, with CISA adding new entries multiple times per month. As of mid-2026, the catalog contains over 1,100 entries. Each addition triggers the remediation clock for federal agencies and serves as a high-confidence signal for all organizations that the identified vulnerability is being actively exploited and should be prioritized.

Why BOD 22-01 Matters Beyond the Federal Government

Validating Exploitation-Based Prioritization

BOD 22-01's influence extends far beyond the federal agencies it legally covers. The directive validated the exploitation-based prioritization approach that the cybersecurity community had been advocating for years. By mandating remediation based on confirmed exploitation rather than CVSS severity, CISA established a government-endorsed model for risk-based vulnerability management that private organizations increasingly adopt.

KEV as an Industry Standard

The KEV catalog created by the directive has become a standard intelligence source for vulnerability management programs across all sectors. Commercial vulnerability management platforms integrate KEV data as a standard prioritization feature. Insurance providers and risk assessors reference KEV compliance as a security posture indicator. Security auditors ask about KEV remediation status in vendor risk assessments and compliance reviews. The directive's practical impact on private-sector security practices exceeds its legal scope because the intelligence resource it created is universally valuable.

Private organizations that adopt KEV-aligned prioritization benefit from the same risk reduction logic that the directive applies to federal agencies: confirmed exploitation represents the highest-confidence threat signal available, and remediation effort directed at confirmed threats produces more risk reduction per hour of work than effort directed at theoretically severe but unconfirmed risks. Organizations that remediate KEV-listed findings within 14-21 days, regardless of whether they are legally required to, close the window on the most dangerous active threats in their environment.

Implementing BOD 22-01 Principles in Any Organization

Practical Adoption Steps

Organizations outside the federal government can adopt BOD 22-01 principles by integrating the KEV catalog into their vulnerability management workflows. The steps are straightforward: automate the correlation of scan findings against the KEV catalog using the freely available JSON feed; establish a KEV-specific SLA (14-21 days is the federal standard); escalate KEV-matched findings to top priority regardless of CVSS score; track KEV compliance as a distinct metric in reporting dashboards; and conduct a one-time backfill to check all open vulnerabilities against the full catalog.

Organizations that adopt these practices gain the primary benefit of BOD 22-01 without the compliance overhead: their remediation effort is directed at vulnerabilities confirmed as actively exploited, reducing the most immediate and demonstrable risk in their environment. The KEV catalog provides this capability at no cost, with minimal integration effort, and with the authority of the nation's primary cybersecurity agency backing the exploitation assessments.

Using KEV for Leadership Communication

Leadership communication benefits from the KEV framework as well. Telling a board that "we have zero open vulnerabilities that the U.S. government has confirmed are being actively exploited by attackers" is a concrete, credible, and compelling statement of security posture. It translates complex vulnerability management metrics into a risk statement that non-technical stakeholders can understand and evaluate. The KEV catalog provides the data to make this statement, and BOD 22-01 provides the authoritative context that gives the statement weight.

BOD 22-01 and the Evolution of Federal Cybersecurity

BOD 22-01 is part of a broader evolution in how the federal government approaches cybersecurity risk management. Previous directives focused on implementing specific security controls (BOD 15-01 on critical vulnerabilities, BOD 19-02 on internet-facing vulnerabilities) or specific threat responses. BOD 22-01 advanced this approach by establishing a permanent, continuously updated mechanism for prioritizing remediation based on real-world threat data rather than static severity assessments.

The directive complemented other CISA initiatives including the Shields Up campaign (heightened threat awareness guidance), the Cyber Safety Review Board (post-incident analysis), and the Secure by Design initiative (shifting security responsibility to software manufacturers). Together, these initiatives represent a shift from reactive, compliance-driven cybersecurity toward proactive, threat-informed risk management across the federal government and, by influence, the broader economy.

BOD 22-01 also established a precedent for data-driven security policy. By tying mandatory remediation to a dynamically updated catalog of confirmed exploited vulnerabilities, CISA created a policy mechanism that adapts to the threat landscape in near-real-time. Traditional compliance requirements are static until the next regulatory update cycle. The KEV catalog updates multiple times per month, making BOD 22-01 one of the most responsive compliance mechanisms in cybersecurity.

For organizations outside the federal government, BOD 22-01 demonstrates what exploitation-based prioritization looks like when applied at scale with accountability. The principles, prioritize based on confirmed threats, set aggressive but achievable remediation timelines, track compliance transparently, and continuously update the threat input, are applicable to any organization regardless of whether the directive legally applies. Organizations that adopt these principles in their own vulnerability management programs benefit from the same risk-based approach that the federal government uses to protect its systems.

Measuring BOD 22-01 Impact

The impact of BOD 22-01 can be measured at both the organizational and ecosystem levels. Organizations that adopt KEV-aligned prioritization can measure the reduction in their exposure window for confirmed exploited vulnerabilities: the time between KEV catalog addition and completed remediation across all affected assets. Shorter exposure windows directly reduce the risk of exploitation by active threat campaigns.

At the ecosystem level, BOD 22-01 has contributed to faster patching of actively exploited vulnerabilities across the federal government and, by influence, the private sector. The directive's emphasis on confirmed exploitation has also shifted industry conversations about vulnerability management from "how many critical findings do we have" to "how quickly do we remediate confirmed threats," which represents a fundamental improvement in how organizations think about and measure their security posture.

For organizations evaluating whether to adopt KEV-aligned prioritization, the data is compelling. Research comparing KEV-informed remediation strategies against CVSS-only approaches shows that KEV-focused programs address a higher percentage of actually exploited vulnerabilities with fewer total remediation actions. This efficiency gain comes from the high-confidence nature of the KEV signal: every entry represents a confirmed threat, not a theoretical one. Programs that focus remediation effort on confirmed threats achieve more risk reduction per unit of effort than programs that treat all high-severity findings equally.