Federal Cybersecurity

Josef Kamara, CPA, CISSP, CISA · Updated May 6, 2026 · 1 minute read

KEV Catalog

The CISA Known Exploited Vulnerabilities Catalog, the authoritative list of CVEs CISA has determined carry significant risk to the federal enterprise based on three criteria: an assigned CVE ID, clear remediation guidance, and reliable evidence of active exploitation. CISA Binding Operational Directive 22-01 (November 3, 2021) requires federal civilian executive branch agencies to remediate KEV-listed vulnerabilities within the timeframe CISA assigns, typically two weeks for vulnerabilities published before the directive and three weeks for new additions. The catalog is updated continuously and is published openly at cisa.gov.

The Authority Brief

One compliance analysis per week from Josef Kamara, CPA, CISSP, CISA. Federal and private compliance, written for practitioners.