Skip to content
You can now search across every topic, entity and event.What's new
BOD 22-01
LegislationUS

BOD 22-01

CISA's 2021 KEV mandatory-patch directive for US federal agencies, revoked and superseded by BOD 26-04 on 10 June 2026.

Last refreshed: 24 June 2026 · Appears in 1 active topic

Key Question

What replaced BOD 22-01 after CISA revoked it in June 2026?

Timeline for BOD 22-01

#94 Jul

Mentioned in: BOD 26-04, a fortnight of triage

Cybersecurity: Threats and Defences
#810 Jun

Superseded by BOD 26-04 on 10 June 2026

Cybersecurity: Threats and Defences: CISA tears up its KEV deadline rules
#79 Jun

Arista refuses to patch KEV flaw

Cybersecurity: Threats and Defences
#415 May

Exchange repeats the CISA deadline-before-patch trap

Cybersecurity: Threats and Defences
#414 May

Mentioned in: UAT-8616 keeps Cisco SD-WAN under fire

Cybersecurity: Threats and Defences
View full timeline →
Common Questions
What is CISA Binding Operational Directive 22-01?
BOD 22-01 is the CISA directive that created the Known Exploited Vulnerabilities catalogue in 2021, compelling US federal civilian agencies to patch listed vulnerabilities within CISA-set deadlines, typically two weeks.Source: CISA
Does the CISA KEV catalogue apply to private companies?
BOD 22-01 only mandates compliance from US federal civilian executive branch agencies. However, the KEV list is widely used by the private sector, insurers, and procurement teams as a minimum patching benchmark.
Why is CISA setting patch deadlines before Microsoft releases a fix?
CISA has issued two federal deadlines in May 2026 before patches existed: a three-day Deadline for Cisco SD-WAN (CVE-2026-20182) and a 29 May Deadline for Exchange CVE-2026-42897 with no Microsoft patch available. BOD 22-01 does not define mitigation as a compliant substitute for patching.Source: CISA

Background

Binding Operational Directive 22-01 (BOD 22-01) was the CISA instrument that created the Known Exploited Vulnerabilities (KEV) catalogue in November 2021, requiring all US federal civilian executive branch agencies to remediate listed vulnerabilities within fixed deadlines (typically 14 days, compressible to 3 days for Emergency Directives). On 10 June 2026 CISA revoked BOD 22-01 entirely and replaced it with BOD 26-04, a risk-tiered model that abandoned the uniform-Deadline architecture. BOD 26-04 assigns one of four windows (3-day, 14-day, 60-day, or next-upgrade-cycle) based on four risk dimensions: exploitation status, CVSS severity, asset criticality, and patch availability. The revocation created transitional ambiguity for in-flight deadlines, including Arista's 23 June window set under the old order.

The replacement was driven by accumulated failure modes the original directive could not absorb. BOD 22-01 had been drafted on the structural assumption that a patch or documented workaround would exist before CISA set a Deadline. That assumption fractured on two fault lines in spring 2026: the Deadline-before-patch pattern (Emergency Directive ED 26-03 set a three-day Cisco SD-WAN window before Cisco had a patch; Exchange CVE-2026-42897 had a 29 May federal Deadline but the fix only arrived 9 June, sixteen days late) ; and vendor refusal (Arista formally declined to ship a software fix for CVE-2026-7473, the first on-record KEV entry where a named vendor explicitly refused to patch).

BOD 22-01 remains significant as a historical baseline: its fixed-Deadline model ran for nearly five years and produced the KEV catalogue that is now a de facto industry patch benchmark extending well beyond its federal scope. Private-sector insurers, procurement teams, and security auditors continue to treat KEV listings as the minimum mandatory-patch universe regardless of the directive model change. BOD 26-04 inherits the catalogue but replaces the compliance mechanics; the patch-obligation logic that made BOD 22-01 the most operationally influential US federal cybersecurity directive since FISMA is now formally retired.

More questions
What happens if a federal agency cannot patch a KEV vulnerability in time?
Agencies must document their remediation posture. Where no patch exists, they typically apply vendor workarounds and report the non-compliance, though BOD 22-01's text does not explicitly permit mitigation as a substitute for remediation.
Can a vendor refuse to fix a vulnerability that CISA has listed in the KEV catalogue?
Yes, in practice. Arista Networks confirmed in June 2026 it would not ship a software patch for KEV-listed CVE-2026-7473, citing configuration-breaking concerns, and offered only ACL mitigations instead. BOD 22-01 imposes obligations on federal agencies, not on vendors.Source: CISA KEV Catalogue
Was the Exchange Server CVE-2026-42897 patch ever released?
Yes. Microsoft shipped the fix in its June 2026 Patch Tuesday on 9 June 2026, sixteen days after the CISA federal Deadline of 29 May 2026.Source: Microsoft Security Response Center
What is BOD 22-01 and why was it revoked?
BOD 22-01 was CISA's 2021 Binding Operational Directive that created the KEV catalogue and required US federal agencies to patch listed flaws within fixed deadlines. CISA revoked it on 10 June 2026 and replaced it with BOD 26-04, a risk-tiered model with four Deadline windows, after spring 2026 exposed two structural failures: deadlines set before patches existed, and a vendor formally refusing to patch.Source: CISA
What is BOD 26-04 and how does it differ from BOD 22-01?
BOD 26-04 replaced BOD 22-01 on 10 June 2026. Instead of uniform 14-day or 3-day windows, it assigns remediation deadlines of 3, 14, or 60 days, or the next upgrade cycle, based on four risk dimensions: exploitation status, CVSS score, asset criticality, and patch availability.Source: event
Does the KEV catalogue still apply now that BOD 22-01 has been revoked?
Yes. The KEV catalogue continues under BOD 26-04. The catalogue itself is unchanged; only the compliance mechanics and Deadline structure were replaced. Private-sector insurers and procurement teams still treat KEV listings as the minimum mandatory-patch universe.Source: event
Why did CISA set federal patch deadlines before patches were available in 2026?
BOD 22-01's fixed-Deadline model assumed a patch or workaround would exist before CISA acted. In May 2026 CISA issued deadlines for Cisco SD-WAN and Exchange Server before fixes were available; the Exchange patch arrived sixteen days after the federal Deadline. BOD 26-04's next-upgrade-cycle tier is designed to avoid this.Source: event
Source Material