Binding Operational Directive

Binding Operational Directive is a mandatory cyber risk management order that the U.S. Cybersecurity and Infrastructure Security Agency issues to federal civilian executive branch agencies, requiring specific security actions, deadlines, and reporting to address defined vulnerabilities and strengthen the security of federal information systems.

Related Perspectives

CISA adds Android Framework vulnerabilities to KEV catalog

December 2, 2025

CISA added two Android Framework vulnerabilities to the Known Exploited Vulnerabilities Catalog after evidence of active exploitation.

CISA adds two Android framework CVEs to KEV catalog

December 2, 2025

CISA added CVE-2025-48572 and CVE-2025-48633, Android Framework vulnerabilities, to its Known Exploited Vulnerabilities Catalog.

CISA adds Samsung mobile device vulnerability CVE-2025-21042 to KEV catalog

December 1, 2025

CISA adds Samsung mobile device out-of-bounds write flaw CVE-2025-21042 to Known Exploited Vulnerabilities Catalog.

CISA adds one known exploited vulnerability to catalog

November 28, 2025

CISA added a new vulnerability, CVE-2025-61757, involving missing authentication in Oracle Fusion Middleware, to its Known Exploited Vulnerabilities Catalog due to active exploitation. Federal agencies must remediate it per Binding Operational Directive 22-01. CISA urges all organizations to prioritize addressing such vulnerabilities.

CISA adds known exploited vulnerability to catalog

November 28, 2025

CISA includes CVE-2021-26829 OpenPLC ScadaBR XSS vulnerability in its Known Exploited Vulnerabilities Catalog following reports of active exploitation.

CISA issues update to Known Exploited Vulnerabilities Catalog including Fortinet flaw

November 28, 2025

CISA added CVE-2025-64446, a Fortinet FortiWeb path traversal flaw, to its Known Exploited Vulnerabilities Catalog amid active exploitation.