Skip to content
You can now search across every topic, entity and event.What's new
CISA
OrganisationUS

CISA

US federal cyber lead; runs the KEV catalogue with mandatory federal patch deadlines.

Last refreshed: 24 June 2026 · Appears in 1 active topic

Key Question

How can CISA enforce its own KEV catalogue with 860 fewer staff?

Timeline for CISA

#1014 Jul

Added seven CVEs to the KEV catalogue over the fortnight

Cybersecurity: Threats and Defences: A quiet KEV fortnight, then a 2008 bug
#94 Jul

Added six actively exploited CVEs to KEV across three updates this fortnight

Cybersecurity: Threats and Defences: BOD 26-04, a fortnight of triage
#91 Jul

Updated the CVE-2026-33825 KEV entry to confirm ransomware exploitation for SYSTEM access

Cybersecurity: Threats and Defences: BlueHammer turns into a ransomware step
#91 Jul

Added CVE-2026-45659 to the KEV catalogue with a three-day FCEB deadline

Cybersecurity: Threats and Defences: SharePoint patch clock runs out today
#91 Jul

Flagged the FortiBleed credential set as privately held

Cybersecurity: Threats and Defences: Lynx crew cashes in FortiBleed haul
View full timeline →
Common Questions
Is CISA being cut under Trump's 2027 budget?
Trump's FY27 budget request proposes a $707m cut and the elimination of around 860 CISA positions, reducing the agency to roughly $2bn in operating budget.Source: event
How many vulnerabilities are in the CISA KEV catalogue?
Approximately 1,627 entries as of mid-June 2026, growing at roughly two CVEs per day.Source: event
What is CISA BOD 26-04 and how does it change KEV patch deadlines?
BOD 26-04, issued 10 June 2026, revokes BOD 22-01 and replaces fixed 14-day/7-day KEV windows with a four-tier risk model: 3 days, 14 days, 60 days, or next upgrade cycle, based on exploitability, exposure, asset criticality, and threat actor behaviour.Source: CISA BOD 26-04

Background

The Cybersecurity and Infrastructure Security Agency (CISA) is the US federal lead for protecting critical infrastructure and federal civilian networks. Created by Congress in 2018, it runs the Known Exploited Vulnerabilities (KEV) catalogue, which issues mandatory patch deadlines for Federal Civilian Executive Branch agencies and voluntary urgency signals for private-sector organisations. The agency also leads the Joint Cyber Defence Collaborative, co-ordinates national counter-ransomware response, and provides election infrastructure security support to all fifty states. CISA operates within the Department of Homeland Security and works in formal partnership with the Five Eyes national CERTs, including the UK NCSC.

CISA's posture on patch enforcement underwent a structural shift on 10 June 2026 when the agency issued Binding Operational Directive 26-04, formally revoking BOD 22-01. The fixed-window KEV regime (14 days for non-critical, 2-7 days for critical) has been replaced by a four-dimension risk-tiered model assigning remediation windows of 3 days, 14 days, 60 days, or next upgrade cycle based on exploitability, exposure, criticality of the affected asset, and known threat actor behaviour. The first batch of KEV additions filed under the new tier structure landed on 23 June, when CISA assigned the three Ubiquiti CVSS 10.0 chain CVEs to the top 3-day tier, confirming the model applies from the directive's effective date.

The BOD 26-04 transition creates a period of ambiguity for in-flight deadlines set under the revoked order: at least one active window (Arista's 23 June obligation) was issued before 10 June, making its status under the new regime unclear. The KEV catalogue itself continues to grow; it stood at approximately 1,627 entries as of mid-June 2026, accruing at roughly two CVEs per day; this growth runs against the backdrop of a proposed $707m budget cut in the FY27 request that would eliminate around 860 CISA positions, reducing the agency's capacity to maintain the advisory quality on which the KEV signal depends. The simultaneous expansion of the catalogue and contraction of the agency's staffing base represents the central structural tension in US federal cyber posture heading into the second half of 2026.

More questions
What happens when a CISA patch deadline comes before the vendor fix?
In May 2026, CISA set a 9 May federal Deadline for CVE-2026-0300 in Palo Alto PAN-OS even though Palo Alto's own patches were not due until 13 May — the first documented case of a KEV Deadline preceding the vendor patch. Federal agencies must apply mitigations or remove the affected product from the network.Source: CISA KEV / Palo Alto advisory
What is the Joint Cyber Defence Collaborative?
The JCDC is CISA's public-private partnership structure for sharing threat intelligence and co-ordinating Incident Response between federal agencies, critical infrastructure operators, and technology companies.Source: CISA
What does CISA do for election security?
CISA provides election infrastructure security support to all fifty US states, including threat intelligence, vulnerability assessments, and Incident Response co-ordination.Source: CISA
Does CISA only cover federal networks or private companies too?
CISA has mandatory jurisdiction over Federal Civilian Executive Branch (FCEB) agencies. For the private sector, its KEV catalogue, advisories and incident-response support are voluntary — but carry strong compliance and reputational weight, particularly for critical infrastructure operators.Source: CISA
What is CISA's Known Exploited Vulnerabilities catalogue?
The KEV catalogue lists software vulnerabilities confirmed as actively exploited in the wild. Federal civilian agencies must patch within the stated Deadline; private organisations treat it as an urgent advisory signal.Source: CISA
What does CISA do and why does it matter?
CISA (Cybersecurity and Infrastructure Security Agency) is the US federal lead for critical infrastructure protection and civilian network security. It maintains the Known Exploited Vulnerabilities catalogue, co-ordinates ransomware Incident Response and provides threat intelligence to the private sector.
Source Material