How many active Cybersecurity and Infrastructure Security Agency (CISA) Binding Operational Directives apply to your agency right now? Not the ones you heard about at last quarter’s briefing. The ones with open compliance windows, active remediation requirements, and documented timelines that CISA is watching. Most Federal Civilian Executive Branch (FCEB) agency compliance teams can name one or two. The full answer is closer to a dozen, with three carrying requirements that generate findings on an annual basis.
CISA issues Binding Operational Directives under authority granted by the Federal Information Security Modernization Act (FISMA) and reinforced by the 2017 Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure executive order. For Federal Civilian Executive Branch agencies, these directives are not guidance documents or best-practice frameworks. They are mandatory requirements with specific timelines. Binding Operational Directive (BOD) 22-01 gave agencies two weeks to remediate certain Known Exploited Vulnerabilities (KEV). BOD 23-01 requires asset discovery on a seven-day cycle. BOD 25-01 targets cloud configuration drift that has been visible in federal environments for years. Agencies that treat these directives the way they treat NIST SP 800-53 recommendations, reviewing them once and filing them away, are building compliance debt that surfaces in Inspector General audits and FISMA assessments.
The three most consequential active BODs each carry a distinct compliance architecture. BOD 22-01 is a continuous obligation tied to a living catalog. BOD 23-01 is an operational cadence requirement. BOD 25-01 is a configuration baseline requirement with a defined set of secure configuration policies. Understanding what each directive requires, where agencies routinely fall short, and how the Continuous Diagnostics and Mitigation (CDM) program and TIC 3.0 intersect with BOD compliance gives compliance teams the map they need before the next assessment cycle opens.
CISA Binding Operational Directives are mandatory cybersecurity requirements for Federal Civilian Executive Branch agencies issued under FISMA authority. Active BODs include BOD 22-01 (Known Exploited Vulnerabilities remediation), BOD 23-01 (asset visibility and discovery), and BOD 25-01 (cloud security configuration). Non-FCEB agencies including DoD and the Intelligence Community are exempt but frequently adopt BOD requirements voluntarily.
BOD 22-01: Known Exploited Vulnerabilities and the Living Catalog Obligation
BOD 22-01, issued November 3, 2021, created a continuous compliance obligation that most agencies did not fully anticipate at the time of issuance. The directive established the CISA KEV catalog and required all FCEB agencies to remediate catalog entries within defined timelines: 14 calendar days for vulnerabilities CISA designated as posing the highest risk, and 60 days for all other catalog entries. Those timelines run from the date CISA adds the vulnerability to the catalog, not from the date the agency discovers the vulnerability in its environment.
The Catalog as Continuous Obligation
The KEV catalog contained roughly 300 entries at issuance. As of April 2026, it exceeds 1,200 entries, with CISA adding new vulnerabilities regularly based on confirmed active exploitation evidence. Each new catalog entry restarts the remediation clock for every FCEB agency running the affected software. An agency that patched its initial KEV backlog in late 2021 and stopped treating BOD 22-01 as an active program will have accumulated months of overdue remediation on entries added since then.
The practical compliance gap comes from asset coverage, not patching capacity. Agencies that cannot confirm whether a given KEV entry affects any system in their environment cannot demonstrate compliance with the directive. BOD 22-01 requires agencies to report remediation status through the Continuous Diagnostics and Mitigation program dashboard, which means the gap is visible to CISA. Agencies with incomplete asset inventories generate incomplete CDM reporting, and CISA can identify the discrepancy between the software running in an environment and the remediation status reported for that environment.
Scope: Internet-Accessible vs. All Federal Systems
BOD 22-01 initially applied to all internet-accessible federal information systems. A subsequent CISA update extended the requirement to all federal information systems, including those without direct internet connectivity. The distinction matters for agencies that segregated their network environments and assumed that air-gapped or restricted-access systems were outside BOD 22-01 scope. Vulnerabilities on those systems still require remediation within the catalog timelines.
Emergency Directives and the KEV Intersection
CISA issues Emergency Directives alongside BODs when a vulnerability requires faster action than the standard catalog timeline permits. EDs carry shorter compliance windows, sometimes 48 to 72 hours for the most critical issues. The Apache Log4Shell vulnerability in December 2021 generated Emergency Directive 22-02, which required agencies to inventory all internet-accessible instances of the affected software within 24 hours and apply patches or mitigations within 72 hours. Agencies with mature KEV programs treated this as an acceleration of existing processes. Agencies without those processes scrambled to build inventory capabilities while the clock ran. The outcome difference between those two groups was visible in the FISMA metrics for fiscal year 2022.
The audit fix. Run a monthly comparison between your software inventory in CDM and every catalog entry added to the KEV list in the prior 30 days. Assign a named owner for KEV remediation tracking. Confirm that your CDM reporting reflects actual remediation status, not scheduled remediation. When CISA adds a new catalog entry, the 14-day or 60-day clock begins on the catalog addition date. Your change management process must accommodate those timelines, not the reverse.
BOD 23-01: Asset Visibility, Discovery Cadence, and the Seven-Day Requirement
BOD 23-01, issued October 3, 2022, targets the root cause of most federal vulnerability management failures: agencies cannot remediate what they cannot see. The directive required all FCEB agencies to achieve and maintain asset visibility and vulnerability enumeration capabilities meeting specific operational cadences by April 3, 2023. The deadline has passed. Agencies that are not operating at BOD 23-01 cadence today are out of compliance with a directive that has been active for over three years.
The Two Core Cadence Requirements
BOD 23-01 establishes two distinct cadence requirements. Asset discovery must occur at least every seven days for all IP-addressable assets on agency networks. Vulnerability enumeration, meaning the process of identifying and cataloging vulnerabilities across discovered assets, must occur at least every 14 days. Both cadences apply to assets on agency-managed networks. They do not create exceptions for legacy systems, development environments, or systems managed by contractors operating under agency authority.
The seven-day asset discovery requirement is more operationally demanding than the 14-day vulnerability enumeration requirement. Seven days means agencies need automated discovery tools running continuously, not periodic scans scheduled at convenient intervals. An agency that conducts asset discovery during scheduled maintenance windows will struggle to meet the cadence requirement if those windows fall more than seven days apart. Automated network scanning, DHCP integration, and CDM sensor deployment are the implementation path most agencies use to achieve the cadence.
Reporting to CISA Through CDM
BOD 23-01 requires agencies to automatically ingest asset discovery and vulnerability enumeration data into the CDM Agency Dashboard and make that data available to CISA through the CDM Federal Dashboard. The ingestion requirement is not satisfied by producing discovery reports for internal use. The data must flow into CDM in a format CISA accepts. Agencies using CDM-approved sensors and tools can automate this ingestion. Agencies relying on scanning tools not integrated with CDM must build a separate data pipeline to meet the reporting requirement, or replace their scanning infrastructure with CDM-compatible tools.
Where BOD 23-01 and BOD 22-01 Connect
BOD 23-01 is operationally upstream of BOD 22-01. An agency cannot meet its KEV remediation timelines under BOD 22-01 without the asset visibility and discovery cadence BOD 23-01 requires. If the asset discovery cycle runs longer than seven days, the agency will have gaps in its understanding of which systems run affected software when a new KEV entry appears. The 14-day or 60-day remediation clock under BOD 22-01 effectively shrinks by however many days the agency spends completing its next discovery cycle. Agencies treating these two directives as separate programs instead of an integrated system create compliance exposure in both.
BOD 23-01 is not a scanning policy. It is a data pipeline requirement. The compliance question CISA is asking is not whether the agency ran scans. The question is whether the scan data reached the CDM Federal Dashboard in a format CISA can read. Agencies that produce excellent internal vulnerability reports but do not feed that data into CDM are non-compliant with BOD 23-01 regardless of their scanning frequency.
The audit fix. Confirm the exact cadence of your automated discovery scans against the seven-day requirement. Pull your CDM Agency Dashboard ingestion logs and verify that asset data is flowing on schedule and in the correct format. Map your vulnerability scanning tool to the CDM-approved tools list. If you are using a tool not on the approved list, document your data pipeline from that tool into CDM and test the pipeline against a known asset change to confirm the data reaches CISA’s dashboard. Run this verification quarterly, not annually.
BOD 25-01: Cloud Security Configuration and the CISA SCuBA Benchmarks
BOD 25-01, issued December 17, 2024, targets a problem that has been visible in federal cloud environments since the widespread adoption of Microsoft 365, Google Workspace, and other cloud productivity platforms accelerated after the COVID-19 pandemic. Federal agencies adopted cloud services faster than they hardened them. The directive requires FCEB agencies to implement CISA’s Secure Cloud Business Applications (SCuBA) secure configuration baselines for specified cloud services.
The SCuBA Configuration Baselines
CISA developed the SCuBA project to produce machine-readable secure configuration baselines for cloud services used widely across the federal government. The initial baselines cover Microsoft 365 applications including Teams, Exchange Online, SharePoint Online, OneDrive for Business, Power Platform, Defender for Office 365, and Azure Active Directory. BOD 25-01 mandates implementation of these baselines by deadlines specified in the directive for each covered product. Agencies must also use CISA’s ScubaGear automated assessment tool to evaluate their current configurations against the baselines.
The baselines are not optional starting points. They represent CISA’s determination of the minimum secure configuration for each covered product in federal civilian environments. Configuration policies that deviate from the baseline require documented approval through the agency’s authorization process. Ad hoc exceptions do not satisfy the directive’s requirements.
The ScubaGear Assessment Requirement
BOD 25-01 requires agencies to run CISA’s ScubaGear tool against their covered cloud environments and report results to CISA through the CDM Agency Dashboard. ScubaGear produces a machine-readable assessment report identifying which baseline policies the agency meets, which it fails, and which require manual review because the tool cannot assess them automatically. The manual review items require documented evaluation by agency personnel, not simply a note that the tool could not assess them.
The compliance challenge for most agencies is not technical. ScubaGear runs in a PowerShell environment and produces clear output. The challenge is governance: configuration changes to cloud productivity platforms touch end users, require testing, and often require coordination with application owners who have configured tenant settings for operational reasons that conflict with SCuBA baselines. Building the change management process to move through those conflicts systematically while meeting BOD 25-01 timelines requires compliance team involvement at the tenant configuration governance layer, not just the security operations layer.
TIC 3.0 and Cloud Security Alignment
BOD 25-01 sits within a broader federal cloud security architecture that includes the Office of Management and Budget’s Trusted Internet Connections 3.0 policy and the CISA Zero Trust Maturity Model. TIC 3.0 established use cases governing how federal agencies secure connections to cloud services, including the Cloud Use Case that addresses cloud access security broker deployment and policy enforcement. Agencies implementing BOD 25-01 SCuBA baselines should confirm that their CASB configurations align with TIC 3.0 Cloud Use Case requirements. The two frameworks address different layers: TIC 3.0 governs traffic flow and policy enforcement at the network boundary, SCuBA governs configuration within the cloud tenant. A tenant meeting SCuBA baselines but lacking proper CASB enforcement under TIC 3.0 still has a gap in its cloud security architecture.
The audit fix. Download ScubaGear from the CISA GitHub repository and run it against each covered Microsoft 365 product in your tenant. Map every FAIL result to a change request with an owner, a remediation timeline, and a test plan. Document every MANUAL result with a written assessment and a conclusion about whether the policy meets the SCuBA intent. Submit your ScubaGear results to CISA through CDM on the schedule BOD 25-01 specifies. Assign a cloud security owner at the tenant governance level who attends configuration change reviews, not just the security operations center analyst who runs the scan.
BOD Compliance Tracking: Building a Program That Holds Up Under FISMA Assessment
FISMA annual assessments evaluate agency compliance with mandatory requirements including active BODs. Inspectors General and their contractors check whether agencies have implemented BOD requirements, not just whether they are aware of them. The gap between awareness and documented implementation is where most findings originate. Agencies with a program that tracks BOD compliance as a continuous operational requirement produce cleaner FISMA metrics than agencies that treat each BOD as a one-time project.
The Non-FCEB Question: DoD, IC, and Private Sector Adoption
BODs are mandatory only for FCEB agencies. The Department of Defense and Intelligence Community agencies operate under separate cybersecurity authorities and are explicitly exempt from BOD requirements. In practice, DoD frequently adopts BOD requirements through its own directives, and the Defense Information Systems Agency maintains its own Security Technical Implementation Guides that often reflect similar policy intent. Private sector organizations, particularly those operating critical infrastructure or working as federal contractors, have increasingly adopted the CISA KEV catalog as a vulnerability prioritization framework. CISA has explicitly encouraged this adoption, noting that the KEV catalog represents CISA’s assessment of vulnerabilities with confirmed active exploitation regardless of sector.
CDM Integration as Compliance Infrastructure
The CDM program provides the technical infrastructure that makes BOD compliance reporting possible. CDM dashboard data flows from agency sensors to the CDM Agency Dashboard and from there to the CDM Federal Dashboard, where CISA has visibility into asset inventory, vulnerability status, and configuration compliance across the federal enterprise. Agencies that have not fully deployed CDM capabilities have a structural barrier to BOD compliance reporting that goes beyond any individual directive. A BOD 23-01 non-compliance finding frequently traces back to incomplete CDM sensor deployment rather than a failure to conduct scans.
Building the Compliance Tracking Register
Agencies that manage BOD compliance through a dedicated tracking register rather than ad hoc project management produce more consistent results. A BOD compliance register documents every active directive, the specific requirements within each directive, the agency’s current compliance status against each requirement, the next scheduled verification activity, and the owner responsible for maintaining compliance. The register connects to the agency’s system of record for POA&M items when a requirement is not yet met, creating a documented remediation path. This structure lets the compliance team demonstrate progress to the IG and to CISA’s CDM oversight team, and it gives leadership a clear picture of where the agency carries open BOD obligations.
The audit fix. Build a BOD compliance register with one row per active directive requirement. Columns: directive number, specific requirement text, compliance status (compliant, partially compliant, non-compliant), evidence location, next verification date, and responsible owner. Review the register monthly. Confirm that every open item has a corresponding POA&M entry with a realistic completion date. When CISA issues a new BOD or updates an existing one, add the new requirements to the register within 48 hours of issuance.
| Directive | Primary Requirement | Key Timeline | Reporting Mechanism | Common Compliance Gap |
|---|---|---|---|---|
| BOD 22-01 | Remediate all KEV catalog entries on applicable federal systems | 14 days (high priority) / 60 days (all others) from catalog addition date | CDM Agency Dashboard | Incomplete asset inventory prevents confirmation of affected systems |
| BOD 23-01 | Asset discovery every 7 days; vulnerability enumeration every 14 days | Required since April 3, 2023 | CDM Agency Dashboard (automated ingestion) | Discovery data not flowing into CDM in CISA-accepted format |
| BOD 25-01 | Implement SCuBA secure configuration baselines for covered cloud services | Per-product deadlines in the directive | ScubaGear results via CDM | Tenant configuration changes blocked by operational governance conflicts |
| Emergency Directives | Varies by ED; typically patch, inventory, or isolate affected systems | 24 to 72 hours for critical EDs | Varies; typically direct to CISA | Absence of pre-built incident response procedures for ED-level response |
| BOD 18-01 | Email and web security (DMARC, HTTPS, HSTS) | Original deadlines in 2017-2018; ongoing maintenance | CISA assessment tools | Subdomains and new systems added post-compliance not assessed |
FCEB agencies carrying open BOD compliance gaps are not managing a policy question. They are managing a risk that CISA can see in real time through CDM. BOD 22-01, BOD 23-01, and BOD 25-01 together define the federal baseline for asset visibility, vulnerability prioritization, and cloud configuration security. Agencies that build these as integrated operational programs rather than separate compliance projects will show cleaner FISMA metrics, faster ED response times, and fewer IG findings. Start with the compliance register. Map every open requirement to a named owner. Make the CDM data pipeline the first infrastructure investment, because everything else in BOD compliance depends on it.
Frequently Asked Questions
What agencies must comply with CISA Binding Operational Directives?
CISA Binding Operational Directives apply to Federal Civilian Executive Branch agencies, defined as all federal executive branch departments and agencies except the Department of Defense, Intelligence Community elements, and other national security systems. Non-FCEB agencies are exempt from mandatory BOD compliance but frequently adopt BOD requirements voluntarily. State, local, tribal, and territorial governments and private sector organizations are never subject to BOD requirements, though CISA encourages voluntary adoption of frameworks like the KEV catalog.
How does CISA enforce Binding Operational Directive compliance?
CISA enforces BOD compliance primarily through the CDM program, which gives CISA real-time visibility into agency asset inventory, vulnerability status, and configuration compliance data. CISA reports BOD compliance metrics to OMB and to Congress through annual FISMA reports, and agency Inspectors General include BOD compliance in their annual independent evaluations. CISA does not impose financial penalties directly, but IG findings citing BOD non-compliance create formal findings that agencies must remediate through the POA&M process and report to OMB.
How often does CISA add vulnerabilities to the Known Exploited Vulnerabilities catalog under BOD 22-01?
CISA adds vulnerabilities to the KEV catalog on a continuous basis as it confirms active exploitation evidence. The catalog has grown from approximately 300 entries at issuance in November 2021 to over 1,200 entries as of April 2026. CISA does not publish a fixed schedule for catalog additions. Agencies must monitor the catalog continuously and treat each new entry as starting a fresh remediation clock from the addition date.
Does BOD 23-01 apply to cloud assets and contractor-managed systems?
BOD 23-01 applies to all IP-addressable assets on agency networks, including assets hosted in cloud environments under agency authority. The directive does not exclude contractor-managed systems operating within agency network boundaries or under agency authorizations to operate. Agencies must confirm that their asset discovery and vulnerability enumeration programs reach cloud-hosted and contractor-managed assets within their authority, or document a specific exclusion with supporting rationale.
What is ScubaGear and how does it relate to BOD 25-01 compliance?
ScubaGear is an open-source automated assessment tool CISA developed to evaluate Microsoft 365 tenant configurations against the SCuBA secure configuration baselines. BOD 25-01 requires FCEB agencies to use ScubaGear to assess their covered cloud environments and report results to CISA through CDM. ScubaGear produces a report identifying policies that pass, fail, or require manual review. Agencies must address FAIL results through documented remediation and treat MANUAL results with a written assessment, not as automatically compliant.
Can private sector organizations use CISA BODs as a cybersecurity framework?
Private sector organizations are not subject to BOD requirements but can adopt BOD frameworks voluntarily. The CISA KEV catalog is widely used in private sector vulnerability management programs as a prioritization mechanism, with many organizations treating KEV remediation timelines as internal policy. CISA explicitly encourages private sector adoption of the KEV catalog given its focus on confirmed active exploitation. The SCuBA baselines for Microsoft 365 are publicly available and represent a well-documented configuration benchmark that private sector organizations running M365 environments can apply without any federal mandate.
How does BOD compliance intersect with FISMA annual assessments?
FISMA annual assessments, conducted by agency Inspectors General or their contractors, evaluate compliance with mandatory cybersecurity requirements that include active BODs. IG teams check whether agencies have documented implementation of BOD requirements with supporting evidence, not just awareness of the directives. BOD compliance gaps generate FISMA findings that require POA&M entries and appear in agency FISMA scorecards submitted to OMB. Agencies with mature BOD compliance programs, documented through the CDM dashboard and internal tracking registers, consistently produce fewer IG findings and stronger FISMA metrics than agencies managing BOD compliance reactively.
What is the difference between a Binding Operational Directive and an Emergency Directive?
CISA issues Binding Operational Directives to establish sustained cybersecurity requirements and operational standards for FCEB agencies. Emergency Directives address specific, time-sensitive threats requiring faster action than a standard BOD timeline permits. Emergency Directives typically carry compliance windows measured in days rather than weeks, and they require a more compressed response that agencies need pre-built processes to meet. A new KEV catalog entry under BOD 22-01 gives agencies 14 to 60 days. An Emergency Directive on the same vulnerability class could compress that to 48 hours.
Subscribe to The Authority Brief for next week’s analysis.
