CISA retires 10 emergency directives — and what it signals about federal cyber norm-setting

On January 8, 2026, the Cybersecurity and Infrastructure Security Agency formally retired ten Emergency Directives issued between 2019 and 2024. CISA stated the directives had "achieved their mission to mitigate urgent and imminent risks to Federal Civilian Executive Branch agencies." The retirement signals a broader shift in federal cybersecurity governance. Coverage from CISA and The Hacker News.

What CISA directives actually are

CISA issues two directive types:

• Binding Operational Directives (BODs): Longer-lived, broad policy-level cybersecurity requirements for FCEB agencies (things like patching timelines, asset inventory, endpoint detection)
• Emergency Directives (EDs): Short-fuse, threat-specific responses to imminent risks (log4j, Cisco zero-days, SolarWinds, etc.)

Both apply directly to FCEB agencies and indirectly to contractors supporting them — contractors must comply with directive-driven security requirements when flowed down via contracts.

What the retirement signals

Per CISA's announcement, the directives were retired because they achieved their protective effect; agencies have integrated the underlying requirements into standing practice. The broader pattern:

• Fewer standing "kitchen-sink" directives
• More narrowly-scoped, threat-specific EDs (recent example: Cisco SD-WAN inventory directive)
• Standing requirements codified via BODs or statute rather than persistent EDs

What's still active

Several recent directives remain in force:

• Cisco SD-WAN systems inventory and patch directive (BOD-level guidance integrated)
• Cisco ASA zero-day emergency mitigation (active)
• Known Exploited Vulnerabilities catalog — continuously updated (see recent KEV additions)

Executive Order impact

The Trump cybersecurity executive order removed certain secure-software attestation requirements for federal contractors. Combined with CISA's directive retirement, the direction of travel: fewer blanket attestation burdens, more targeted threat-driven response.

What to do this week

• Review your contract clause set for references to retired EDs — update procedures to reflect current directive landscape
• Subscribe to the KEV catalog feed if you haven't — it's the best signal for real current cyber priorities
• Verify your secure-software attestation practices: some requirements eased, but the ones that remain are stricter

Sources

• CISA — Retires Ten Emergency Directives
• The Hacker News — CISA Retires 10 Emergency Cybersecurity Directives
• CISA — Cybersecurity Directives (live list)
• Woods Rogers — New Cybersecurity Executive Order