The Cybersecurity and Infrastructure Security Agency (CISA) maintains the Known Exploited Vulnerabilities (KEV) Catalog, a curated list of vulnerabilities with evidence of active exploitation. This catalog serves as a critical tool for organizations to prioritize remediation efforts effectively.
-
Authoritative Source: The KEV Catalog is recognized as the definitive list of vulnerabilities exploited in the wild, providing organizations with actionable intelligence to mitigate risks.
-
Mandatory for Federal Agencies: Under Binding Operational Directive (BOD) 22-01, federal civilian executive branch agencies are required to remediate listed vulnerabilities within specified timeframes to protect federal networks against active threats.
-
Recommended for All Organizations: While BOD 22-01 mandates apply to federal agencies, CISA strongly encourages all organizations, including state, local, tribal, territorial governments, and the private sector, to prioritize remediation of KEV-listed vulnerabilities to enhance their security posture.
-
Regular Updates: The catalog is continuously updated as new vulnerabilities are identified and verified to be actively exploited, ensuring organizations have access to the most current threat information.
-
Accessible Formats: To facilitate integration into various security workflows, the KEV Catalog is available in multiple formats, including CSV and JSON, allowing for seamless incorporation into vulnerability management systems.
Utilizing the KEV Catalog enables organizations to focus their remediation efforts on vulnerabilities that pose the most significant threats, thereby strengthening their overall cybersecurity defenses.
