
BOD 22-01
CISA's 2021 KEV mandatory-patch directive for US federal agencies, revoked and superseded by BOD 26-04 on 10 June 2026.
Last refreshed: 24 June 2026 · Appears in 1 active topic
What replaced BOD 22-01 after CISA revoked it in June 2026?
Timeline for BOD 22-01
Mentioned in: BOD 26-04, a fortnight of triage
Cybersecurity: Threats and DefencesSuperseded by BOD 26-04 on 10 June 2026
Cybersecurity: Threats and Defences: CISA tears up its KEV deadline rulesArista refuses to patch KEV flaw
Cybersecurity: Threats and DefencesExchange repeats the CISA deadline-before-patch trap
Cybersecurity: Threats and DefencesMentioned in: UAT-8616 keeps Cisco SD-WAN under fire
Cybersecurity: Threats and DefencesWhat is CISA Binding Operational Directive 22-01?
Does the CISA KEV catalogue apply to private companies?
Why is CISA setting patch deadlines before Microsoft releases a fix?
Background
Binding Operational Directive 22-01 (BOD 22-01) was the CISA instrument that created the Known Exploited Vulnerabilities (KEV) catalogue in November 2021, requiring all US federal civilian executive branch agencies to remediate listed vulnerabilities within fixed deadlines (typically 14 days, compressible to 3 days for Emergency Directives). On 10 June 2026 CISA revoked BOD 22-01 entirely and replaced it with BOD 26-04, a risk-tiered model that abandoned the uniform-Deadline architecture. BOD 26-04 assigns one of four windows (3-day, 14-day, 60-day, or next-upgrade-cycle) based on four risk dimensions: exploitation status, CVSS severity, asset criticality, and patch availability. The revocation created transitional ambiguity for in-flight deadlines, including Arista's 23 June window set under the old order.
The replacement was driven by accumulated failure modes the original directive could not absorb. BOD 22-01 had been drafted on the structural assumption that a patch or documented workaround would exist before CISA set a Deadline. That assumption fractured on two fault lines in spring 2026: the Deadline-before-patch pattern (Emergency Directive ED 26-03 set a three-day Cisco SD-WAN window before Cisco had a patch; Exchange CVE-2026-42897 had a 29 May federal Deadline but the fix only arrived 9 June, sixteen days late) ; and vendor refusal (Arista formally declined to ship a software fix for CVE-2026-7473, the first on-record KEV entry where a named vendor explicitly refused to patch).
BOD 22-01 remains significant as a historical baseline: its fixed-Deadline model ran for nearly five years and produced the KEV catalogue that is now a de facto industry patch benchmark extending well beyond its federal scope. Private-sector insurers, procurement teams, and security auditors continue to treat KEV listings as the minimum mandatory-patch universe regardless of the directive model change. BOD 26-04 inherits the catalogue but replaces the compliance mechanics; the patch-obligation logic that made BOD 22-01 the most operationally influential US federal cybersecurity directive since FISMA is now formally retired.