BOD 22-01
Binding Operational Directive 22-01: the US CISA directive establishing the Known Exploited Vulnerabilities catalogue as a mandatory patch-compliance instrument for federal civilian agencies.
Last refreshed: 20 May 2026 · Appears in 1 active topic
Can a federal compliance deadline be legal when no patch exists to comply with?
Timeline for BOD 22-01
Exchange repeats the CISA deadline-before-patch trap
Cybersecurity: Threats and DefencesMentioned in: UAT-8616 keeps Cisco SD-WAN under fire
Cybersecurity: Threats and DefencesMentioned in: Patch Tuesday clean streak hides out-of-band KEVs
Cybersecurity: Threats and Defences- What is CISA Binding Operational Directive 22-01?
- BOD 22-01 is the CISA directive that created the Known Exploited Vulnerabilities catalogue in 2021, compelling US federal civilian agencies to patch listed vulnerabilities within CISA-set deadlines, typically two weeks.Source: CISA
- Does the CISA KEV catalogue apply to private companies?
- BOD 22-01 only mandates compliance from US federal civilian executive branch agencies. However, the KEV list is widely used by the private sector, insurers, and procurement teams as a minimum patching benchmark.
- Why is CISA setting patch deadlines before Microsoft releases a fix?
- CISA has issued two federal deadlines in May 2026 before patches existed: a three-day deadline for Cisco SD-WAN (CVE-2026-20182) and a 29 May deadline for Exchange CVE-2026-42897 with no Microsoft patch available. BOD 22-01 does not define mitigation as a compliant substitute for patching.Source: CISA
- What happens if a federal agency cannot patch a KEV vulnerability in time?
- Agencies must document their remediation posture. Where no patch exists, they typically apply vendor workarounds and report the non-compliance, though BOD 22-01's text does not explicitly permit mitigation as a substitute for remediation.
Background
Binding Operational Directive 22-01 (BOD 22-01) is the CISA instrument that created the Known Exploited Vulnerabilities (KEV) catalogue in November 2021, requiring all US federal civilian executive branch agencies to remediate listed vulnerabilities within CISA-set deadlines, typically two weeks but compressible to three days for critical active-exploitation events. The directive has no statutory force against private-sector organisations, though the KEV catalogue functions as a de facto industry benchmark: insurers, procurement teams, and security auditors treat KEV-listed CVEs as the minimum mandatory-patch universe.
BOD 22-01 was drafted on the structural assumption that a patch or documented workaround would exist before CISA set a deadline. That assumption has frayed in 2026. CISA issued Emergency Directive ED 26-03 on 14 May 2026 for Cisco SD-WAN CVE-2026-20182 (CVSS 10.0) with a three-day remediation window before Cisco had confirmed a patch timeline. On 15 May 2026 CISA added Exchange Server CVE-2026-42897 with a 29 May deadline while Microsoft's only available step was the Exchange Emergency Mitigation Service workaround, not a full patch. That was the second deadline-before-patch in twelve days, establishing the pattern as posture rather than exception.
The practical tension is constitutional to the directive's text: BOD 22-01 requires "remediation" but does not define mitigation as a compliant substitute. Federal CISOs facing an unpatchable KEV deadline must document a workaround response that the directive does not explicitly sanction, and that gap has now accumulated two public worked examples inside a single reporting window.