FCEB

Federal Civilian Executive Branch (FCEB) refers collectively to the civilian departments and agencies of the United States federal government that fall under executive-branch authority, excluding the Department of Defense and the Intelligence Community, which operate under separate cyber directives. FCEB agencies include departments such as the Treasury, Health and Human Services, Homeland Security, and the General Services Administration, plus their subordinate components. The designation is significant in cybersecurity policy because CISA's Binding Operational Directive 22-01 (BOD 22-01), issued November 2021, places mandatory patching obligations on all FCEB agencies for vulnerabilities listed in the Known Exploited Vulnerabilities (KEV) catalogue. When CISA adds a CVE to KEV, FCEB agencies are legally required to patch within the deadline CISA sets, typically between three and 21 days depending on assessed severity and remediation complexity.

In the cyber-threats-and-defences briefing window (1-3 June 2026), four CVEs received KEV listings with FCEB deadlines: CVE-2024-21182 (WebLogic, 22 June), CVE-2022-0492 (Linux cgroups, 5 June), CVE-2025-48595 (Android, 5 June) and CVE-2026-45247 (Magento, 6 June). The FCEB population does not include private-sector organisations or state and local governments, which are encouraged but not required to follow KEV guidance. The private sector constitutes the majority of the vulnerable population for each listed CVE, meaning mandatory remediation covers only a fraction of exposed deployments.

The KEV/BOD 22-01 model is the primary forcing function for legacy-estate patching in the US federal government. Its proposed FY27 budget reduction of $707 million to CISA would eliminate 860 positions including staff maintaining the KEV programme, directly threatening the enforcement capacity underpinning FCEB patching compliance.