When the Cybersecurity and Infrastructure Security Agency (CISA) launched the Known Exploited Vulnerabilities (KEV) catalog in November 2021, it contained roughly 300 entries. By early 2026, that number exceeds 1,500. CISA adds new entries continuously, each one representing a vulnerability with confirmed active exploitation evidence, each one restarting a remediation clock for every Federal Civilian Executive Branch (FCEB) agency running the affected software. That is not a static list to patch once and archive. It is a living obligation that has grown fivefold in under five years.
Before Binding Operational Directive (BOD) 22-01, federal agencies prioritized vulnerabilities primarily through Common Vulnerability Scoring System (CVSS) scores. A critical CVSS rating, a 9.8 or a 10.0, told the team the theoretical severity. It did not tell them whether attackers were actually using the vulnerability today. Threat actors do not sort their exploit kits by CVSS score. They exploit what works. The KEV catalog captures what works: vulnerabilities with direct evidence of active exploitation in the wild, not just proof-of-concept code in a research paper. The gap between “theoretically severe” and “actively exploited” turns out to matter enormously for prioritization.
BOD 22-01 closed that gap by making KEV remediation mandatory for FCEB agencies, with defined timelines and Continuous Diagnostics and Mitigation (CDM) reporting requirements. The catalog mechanics, inclusion criteria, remediation timelines, and CDM integration all carry compliance implications that agencies and their contractors need to understand precisely. Private sector organizations adopting KEV as a voluntary prioritization framework face the same practical questions. The answers are the same either way.
Remediate KEV entries by following three steps: subscribe to the CISA KEV catalog feed for real-time additions, cross-reference each new entry against your asset inventory to identify affected systems, and patch or mitigate within the BOD 22-01 due date (14 days for CVE-IDs assigned in 2021 or later; 6 months for pre-2021 CVE-IDs) [BOD 22-01]. Report remediation status through your CDM agency dashboard. CISA adds entries based on three criteria: a Common Vulnerabilities and Exposures (CVE) identifier must be assigned, active exploitation must be confirmed, and a clear remediation action must exist.
BOD 22-01: The Federal Mandate Behind the CISA KEV Catalog
BOD 22-01, issued November 3, 2021, established two things simultaneously: the CISA KEV catalog as the authoritative list of exploited vulnerabilities, and mandatory remediation timelines for every FCEB agency operating systems affected by catalog entries. The directive did not create a one-time remediation sprint. It created a permanent operational obligation tied to a catalog that CISA updates on an ongoing basis.
Authority and Scope
CISA issued BOD 22-01 under the authority granted by the Federal Information Security Modernization Act (FISMA), specifically the provisions at 44 U.S.C. § 3553 that empower CISA to issue binding directives to federal agencies. The directive applies to all Federal Civilian Executive Branch agencies. The Department of Defense, Intelligence Community elements, and national security systems operate under separate authorities and are not subject to BOD 22-01, though many adopt equivalent policies voluntarily.
BOD 22-01 covers all software and hardware on federal information systems, whether agency-managed on premises or hosted by a third party. Early agency interpretations and CISA public communications focused on internet-accessible assets, but the directive text always reached internal systems. Agencies that assumed air-gapped or restricted-access systems were outside KEV scope need to revisit that assumption. The remediation obligation follows the software, not the network segment.
The Remediation Timeline Structure
BOD 22-01 sets two remediation windows from the date CISA adds an entry to the catalog: two weeks for vulnerabilities with a CVE identifier assigned in 2021 or later, and six months for vulnerabilities with a CVE identifier assigned before 2021 (BOD 22-01). CISA can shorten either window vulnerability-by-vulnerability when grave risk warrants. Both timelines run from the catalog addition date, not from the date the agency discovers the vulnerability in its own environment. An agency that runs biweekly vulnerability scans and finds a 2021+ CVE entry on day 12 of the 14-day window has two days to remediate, regardless of when the scanner first surfaced it.
The timeline structure rewards continuous monitoring. Agencies that discover a new KEV addition within 24 hours of catalog publication have the full 14-day window (for 2021+ CVEs) or 6-month window (for pre-2021 CVEs) to plan and execute remediation. Agencies with slower discovery cycles work with whatever window remains after their detection lag. The practical implication is that BOD 22-01 compliance is partly a function of how quickly an agency can identify whether a new catalog entry affects any of its systems, particularly for the 14-day class, where a multi-day detection lag substantially compresses the available remediation window.
Confirmation and Reporting Requirements
BOD 22-01 requires agencies to remediate catalog entries and report remediation status to CISA through the CDM program dashboard. Agencies must confirm actual remediation, not scheduled remediation. A change ticket with a planned patch date does not satisfy the directive. The CDM dashboard reflects whether the vulnerability has been addressed on the affected systems. CISA has visibility into the gap between what agencies report and what their CDM data shows.
The audit fix. Set up an automated alert for every new CISA KEV catalog addition. Tools including Tenable.io, Qualys, and Rapid7 maintain direct KEV catalog integrations that flag affected assets within hours of a new catalog entry. Assign a named owner for KEV tracking separate from your general vulnerability management queue. When a new entry appears, run a targeted scan for the affected software across your full asset inventory within 48 hours. Document the scan results, affected system count, patch status, and remediation timeline in your Plan of Action and Milestones (POA&M) before the CDM reporting cycle. Remediation confirmation to CISA requires completed patches, not open tickets.
CISA KEV Catalog Mechanics: How Vulnerabilities Get Added
CISA applies three criteria before adding a vulnerability to the KEV catalog. Understanding those criteria explains why the catalog functions differently from CVSS-based priority lists and why it produces better prioritization outcomes for organizations focused on actual attack surface rather than theoretical risk.
The Three Inclusion Criteria
Every KEV entry must satisfy all three conditions. First, the vulnerability must have an assigned CVE identifier. This creates a clean mapping between the catalog entry and the vulnerability records used by scanner vendors, patch management systems, and asset management platforms. Second, CISA must have evidence of active exploitation in the wild. Proof-of-concept code, theoretical attack paths, and researcher demonstrations do not meet this threshold. CISA requires evidence that real threat actors are using the vulnerability in real attacks against real targets. Third, a clear remediation action must exist. CISA does not add vulnerabilities to the catalog if there is no patch, vendor mitigation, or documented workaround available. Adding an unmitigable vulnerability to a mandatory remediation list would create a compliance obligation with no possible path to compliance.
The active exploitation criterion is the differentiator. Of the tens of thousands of CVEs published annually, a fraction receive CVSS scores above 9.0. A smaller fraction of those high-severity CVEs appear in actual attack campaigns. The KEV catalog captures that smaller fraction. Organizations that remediate KEV entries before higher-CVSS-but-never-exploited vulnerabilities are making a rational prioritization decision backed by threat intelligence, not just severity theory.
Catalog Growth and Continuous Addition
The catalog contained roughly 300 entries when BOD 22-01 took effect in late 2021. By early 2026, that count exceeds 1,500 entries. CISA does not add entries on a fixed schedule. New entries appear whenever CISA confirms exploitation evidence meeting the three criteria. Some weeks produce no new entries. Others produce a dozen, particularly when a threat actor campaign targeting widely deployed software becomes visible in CISA’s intelligence sources.
Each new catalog addition restarts the remediation clock. An FCEB agency that cleared its initial KEV backlog in early 2022 and treated BOD 22-01 as a closed project has accumulated remediation obligations for every entry added since. More than 1,200 entries were added between early 2022 and early 2026, each carrying a 2-week or 6-month deadline depending on the year of the CVE identifier. Agencies without active KEV monitoring programs will discover these gaps during FISMA assessments.
The audit fix. Download the full KEV catalog in JSON or CSV format from cisa.gov/known-exploited-vulnerabilities-catalog. Every entry includes the CVE identifier, vendor and product name, catalog addition date, and required FCEB remediation due date. Import the catalog into your vulnerability management platform and map every entry against your asset and software inventory. Identify every entry where you have an affected system and the due date has passed. Each represents an open compliance finding requiring a POA&M entry. Set a weekly reconciliation process to compare new catalog additions against your asset inventory and generate remediation tickets within 24 hours of each new addition.
KEV catalog compliance is fundamentally an asset inventory problem before it is a patching problem. An agency that cannot confirm whether a newly added catalog entry affects any of its systems cannot start the remediation clock accurately. Every delay in asset discovery eats into the compliance window. Agencies investing in KEV compliance should start with asset visibility, not patch velocity.
KEV vs. CVSS: Understanding the Prioritization Gap
CVSS scores and KEV catalog membership answer different questions. CVSS measures theoretical severity based on attack vector, attack complexity, privileges required, user interaction, scope, and impact. KEV membership answers a simpler and operationally more useful question: are attackers actually using this vulnerability right now? Both data points belong in a mature vulnerability management program. Understanding what each measures, and where each fails, determines how to weight them in prioritization decisions.
Where CVSS Fails the Prioritization Test
CVSS scores inflate toward the high end. A significant share of CVEs published each year receive scores of 7.0 or above, qualifying as “high” severity. Organizations that prioritize by CVSS score alone must triage hundreds of high and critical findings simultaneously. The scoring model does not distinguish between a vulnerability with a known exploit kit in active use and a vulnerability that requires physical access, specialized knowledge, and specific preconditions that virtually no real attacker will meet. Both might score 9.0. Only one is a fire.
The prioritization consequence is queue saturation. Patch teams working from a CVSS-sorted vulnerability list spend significant capacity on theoretically severe findings that threat actors are not using while genuinely exploited vulnerabilities with slightly lower CVSS scores sit in the backlog. The Verizon Data Breach Investigations Report has documented for years that exploitation of vulnerabilities in confirmed breaches concentrates on a small subset of CVEs with active exploit code, not the full population of high-severity findings.
How KEV Membership Complements CVSS
The KEV catalog does not replace CVSS. It filters it. A vulnerability with a KEV entry and a CVSS score of 7.5 warrants faster remediation than a vulnerability with no KEV entry and a CVSS score of 9.8. The KEV entry is confirmed exploitation evidence. The 9.8 CVSS is a severity model output that tells you the damage potential if exploitation occurs. For organizations with finite patching capacity, confirmed exploitation evidence is the more operationally relevant signal.
Mature vulnerability management programs use CVSS to assess potential impact and KEV membership to assess actual threat actor behavior. A vulnerability that is both KEV-listed and CVSS-critical goes to the front of the queue. A vulnerability that is CVSS-critical but has no exploitation evidence goes into the standard priority rotation. A vulnerability that is KEV-listed but CVSS-moderate still carries urgency because the exploitation evidence is real, even if the potential damage ceiling is lower than the critical-rated finding that no one is actually using.
| Dimension | CVSS Score | KEV Catalog Membership | Recommended Use |
|---|---|---|---|
| What it measures | Theoretical severity based on attack characteristics and potential impact | Confirmed active exploitation evidence in real-world attacks | Use CVSS for potential damage assessment |
| Data source | Vulnerability researcher analysis of the CVE | CISA threat intelligence confirming active exploitation | Use KEV for actual threat actor behavior |
| Update frequency | Set at publication; occasionally revised | Updated continuously as CISA confirms new exploitation | Monitor KEV continuously; CVSS is stable reference |
| Prioritization signal | High volume of critical/high ratings reduces signal clarity | Selective inclusion means every entry represents confirmed threat | KEV membership is the higher-confidence prioritization signal |
| Federal mandate | No direct remediation mandate from CVSS score alone | Mandatory remediation for FCEB agencies within defined timelines | KEV drives compliance obligations; CVSS informs risk context |
| Private sector relevance | Standard across all sectors, widely integrated in scanner tools | Voluntary adoption; CISA explicitly encourages use as prioritization framework | Both apply; KEV membership warrants faster action in any sector |
CDM Integration and Federal Dashboard Reporting
BOD 22-01 remediation reporting runs through the CDM program. The CDM program provides the technical infrastructure that makes CISA’s visibility into agency compliance possible. Agencies report KEV remediation status through their CDM Agency Dashboard, and CISA aggregates that data across the federal enterprise through the CDM Federal Dashboard. Understanding how this pipeline works explains why asset inventory gaps translate directly into BOD 22-01 compliance failures.
How CDM Surfaces Compliance Status
CDM sensors feed asset and vulnerability data into the CDM Agency Dashboard continuously. When CISA adds a new catalog entry, CDM-enabled agencies can identify which assets run the affected software by querying dashboard data. Remediation status updates in the dashboard as patches are applied and confirmed. The CDM Federal Dashboard gives CISA a cross-agency view that includes the software inventory data feeding each agency’s dashboard. Agencies whose CDM data shows affected software but whose remediation status shows no action within the compliance window have a visible gap that CISA can identify without requiring an agency-generated report.
Asset Inventory as the Compliance Foundation
An agency cannot confirm KEV remediation on a system it does not know exists. Asset inventory completeness is the prerequisite for every other BOD 22-01 compliance step. BOD 23-01, issued October 2022, directly addresses this dependency by requiring asset discovery at least every seven days and vulnerability enumeration at least every 14 days for all IP-addressable assets. Agencies treating BOD 22-01 and BOD 23-01 as separate programs miss the structural dependency: BOD 23-01 compliance provides the asset visibility that makes BOD 22-01 compliance possible. An agency with a 30-day asset discovery cycle and a 14-day KEV remediation window cannot meet the timeline requirement for catalog entries with 2021+ CVE identifiers.
CDM-Approved Tools and Scanner Integration
CDM operates through an approved tools list maintained by CISA. Vulnerability scanners and asset discovery products on the approved list integrate directly with the CDM Agency Dashboard, allowing automated data ingestion. Agencies running scanning tools not on the approved list must build a separate pipeline to move scan data into CDM. A scanner that identifies a remediated KEV entry but cannot automatically update the CDM dashboard requires manual data reconciliation. That manual step introduces latency and error risk that a KEV compliance program running on 14-day windows cannot absorb reliably.
The audit fix. Confirm that your primary vulnerability scanner appears on the current CISA CDM approved tools list. Verify that KEV catalog entries are flagged automatically in your scanner output when CISA adds new entries. Test your CDM data pipeline by patching a known test system for a KEV entry and confirming that the remediation status updates in your CDM Agency Dashboard within 24 hours. If the update requires manual steps, document those steps and assign an owner to execute them within the compliance window. Run a full reconciliation between your CDM dashboard vulnerability data and your scanner output quarterly to identify systems the CDM sensors are not reaching.
Private Sector Adoption of the CISA KEV Catalog
BOD 22-01 mandates KEV remediation for federal agencies. Nothing in the directive requires private sector organizations to follow it. CISA has been explicit about encouraging voluntary adoption anyway, and a significant number of private sector vulnerability management programs have built KEV prioritization into their standard operating procedures. The reasons are practical.
Why the KEV Catalog Translates to the Private Sector
The three inclusion criteria for KEV entries do not change based on the target organization. Active exploitation evidence means threat actors are using the vulnerability against real targets. Those targets include private companies, critical infrastructure operators, healthcare systems, and financial institutions. A KEV-listed vulnerability in a widely deployed product represents a threat to any organization running that product. The catalog is a public threat intelligence feed, not a federal-only reference document.
Cyber insurance underwriters and security assessors have increasingly incorporated KEV catalog remediation into their evaluation frameworks. The federal BOD 22-01 remediation windows (two weeks for newer CVEs, six months for older CVE identifiers) provide a benchmark that private sector programs can adapt to their own risk tolerance and patching capacity without adopting the full BOD 22-01 compliance framework.
The audit fix. Integrate the KEV catalog into your existing vulnerability management platform. Most enterprise scanners support KEV tagging natively or through a feed integration. Set a policy requiring remediation of all KEV-listed findings within 30 days as a starting benchmark, then tighten the window based on your patch velocity data. Track KEV remediation separately from general vulnerability metrics. Report KEV compliance metrics to leadership alongside CVSS-based patch rates to demonstrate that your program addresses actual attacker behavior, not just theoretical severity.
The CISA KEV catalog resolved a problem that CVSS scoring never could: distinguishing vulnerabilities that attackers actually use from the much larger population of vulnerabilities they theoretically could. For FCEB agencies, BOD 22-01 makes KEV remediation a mandatory compliance obligation with enforceable timelines and CDM-visible reporting. For everyone else, the catalog is the closest thing to a real-time exploitability feed that the federal government publishes openly. Build your remediation program around it. The agencies and organizations that get this right spend their patching capacity on the vulnerabilities that matter. The ones that sort by CVSS score stay permanently overwhelmed.
Frequently Asked Questions
What is the CISA KEV catalog compliance guide for federal agencies?
The CISA KEV catalog compliance framework for federal agencies is established by Binding Operational Directive 22-01, issued November 3, 2021. The directive requires all Federal Civilian Executive Branch agencies to remediate vulnerabilities listed in the Known Exploited Vulnerabilities catalog within 14 calendar days for entries with CVE identifiers assigned in 2021 or later, and within six months for entries with pre-2021 CVE identifiers, measured from the date CISA adds the entry to the catalog [BOD 22-01]. Agencies report remediation status through the CDM program dashboard.
How does CISA decide which vulnerabilities to add to the KEV catalog?
CISA applies three criteria for every catalog entry: the vulnerability must have an assigned CVE identifier, CISA must have evidence of active exploitation in real-world attacks, and a clear remediation action must be available. Proof-of-concept code or researcher demonstrations do not satisfy the active exploitation criterion. CISA requires evidence of actual threat actor use. This three-criteria filter is why the KEV catalog carries higher prioritization signal than CVSS scores alone for organizations focused on actual attack surface.
How many entries does the CISA KEV catalog contain as of 2026?
The CISA KEV catalog contained approximately 300 entries when BOD 22-01 took effect in November 2021. By early 2026, the catalog exceeds 1,500 entries. CISA adds entries continuously rather than on a fixed schedule, as exploitation evidence is confirmed. Federal agencies must monitor the catalog continuously and treat each new addition as starting a fresh remediation clock from the catalog addition date.
Does the KEV catalog apply only to internet-facing systems?
BOD 22-01 covers all software and hardware on federal information systems. Early agency interpretations and CISA public communications focused on internet-accessible assets, but the directive text always reached internal systems. Internal systems, air-gapped environments, and contractor-managed systems operating within agency authority all fall within the directive’s scope. Agencies that limited their KEV program to internet-facing assets need to extend remediation tracking to their full system inventory.
How does the KEV catalog interact with CVSS scoring for vulnerability prioritization?
CVSS measures theoretical severity. KEV membership confirms active exploitation by real threat actors. A KEV-listed vulnerability with a moderate CVSS score warrants faster remediation than a critical-rated CVE with no exploitation evidence. Mature programs use both signals, treating KEV membership as the higher-confidence prioritization indicator.
Are private sector organizations required to comply with BOD 22-01?
No. BOD 22-01 applies exclusively to Federal Civilian Executive Branch agencies. Private sector organizations, state and local governments, and non-FCEB federal entities including the Department of Defense are not subject to mandatory KEV timelines. CISA explicitly encourages voluntary adoption of the KEV catalog as a prioritization framework, and many private sector security programs have incorporated KEV remediation policies modeled on the federal windows.
What happens if a federal agency misses a KEV remediation deadline?
CISA has visibility into agency KEV remediation status through the CDM Federal Dashboard. Agencies with overdue remediation generate findings in annual FISMA assessments conducted by agency Inspectors General. Those findings require POA&M entries and appear in FISMA scorecards submitted to OMB. Persistent KEV compliance gaps compound across assessment cycles until the underlying asset inventory and patch management capabilities are brought into alignment.
How does KEV compliance integrate with the CDM program?
CDM provides the reporting infrastructure for BOD 22-01 compliance. Agency CDM sensors feed asset and vulnerability data into the CDM Agency Dashboard, which CISA accesses through the CDM Federal Dashboard to assess remediation status. Gaps in CDM sensor deployment translate directly into gaps in KEV compliance reporting. BOD 23-01’s seven-day asset discovery cadence supports the asset visibility that makes CDM-based KEV reporting accurate.
Subscribe to The Authority Brief for next week’s analysis.
