CISA's KEV Catalog is an authoritative library of vulnerabilities that have been exploited in the wild. The KEV Catalog, short for Known Exploited Vulnerabilities Catalog, is maintained by CISA (the U.S. government’s Cybersecurity and Infrastructure Security Agency) and is used as a valuable vulnerability prioritization input.

The CISA KEV Catalog was born out of Binding Operational Directive 22-01 (BOD 22-01), which requires all federal, executive branch departments, and agencies to rapidly remediate all software or hardware-based vulnerabilities listed on the KEV list.

But while federal agencies are a primary user of KEV — they’re mandated to fix all internet-facing KEVs within 15 days and all other KEVs within 25 days — other organizations and industries across the private sector can also benefit from using KEV as an input in vulnerability prioritization. 

CISA updates the KEV Catalog (also sometimes referred to as the KEV List) on a continuous basis as new threats are identified. 

In this blog, we’ll cover how CISA decides whether to include new vulnerabilities on the KEV List, explain how new vulnerabilities are added to the Catalog, and provide guidance on using KEV alongside other vulnerability prioritization inputs.

Binding Operational Directive (BOD) 22-01 and the KEV Catalog

Any discussion of the CISA KEV Catalog starts with Binding Operational Directive 22-01 (BOD 22-01). The purpose of BOD 22-01 is to ensure that federal information systems are secured from cyber threats that pose a significant risk to national security. Although the Directive does not apply to non-federal organizations, the BOD 22-01 recommends them to refer to the KEV Catalog as a guideline for enhancing their own vulnerability management practice.

Once a new KEV has been introduced to the CISA KEV Catalog, federal entities must update and align their internal vulnerability management procedures within 60 days of issuance. They must comply with the policies stipulated in the BOD 22-01 and remediate all known exploited vulnerabilities within the specific timeframes outlined in the catalog. These timelines range from six months for vulnerabilities with a Common Vulnerabilities and Exposures (CVE) ID assigned prior to 2021, and within two weeks for all other vulnerabilities.

BOD 22-01's Impact on KEV Implementation and Updates

Federal entities are required to be in strict compliance with the BOD 22-01 at all times, which means they must stay on top of KEV updates as new known exploited vulnerabilities become added to the CISA KEV Catalog. This makes it possible to ensure timely remediation of these vulnerabilities across the federal networks, preventing the compromise of federal information systems. 

To stay updated, federal entities and other organizations subscribe to CISA KEV updates to receive real-time notifications about newly added KEVs. These updates aid in prioritizing vulnerabilities and enhancing defenses for federal cybersecurity.

CISA KEV Vulnerability Evaluation Process

All entries on the CISA Kev list are vulnerabilities — but not all vulnerabilities make their way into the KEV Catalog. Rather, there is a multi-step evaluation process that determines whether a vulnerability will be added.

Step 1: Vulnerability Detection and CVE Assignment

Once a new vulnerability is identified and assessed, it may be assigned a Common Vulnerabilities and Exposures (CVE) ID. (For example, the infamous Log4Shell vulnerability was assigned CVE-2021-44228.)

Step 2: Evaluation for KEV Catalog Inclusion  

Vulnerabilities are thoroughly evaluated to determine if they should be included in the KEV Catalog. The evaluation focuses on their exploitation status and the potential impact on critical systems and infrastructure.

Step 3: Stakeholder Input  

During the evaluation process, input and data from various stakeholders, including federal agencies, private sector entities, and security experts, are taken into account. This collective insight helps in making informed decisions about catalog inclusion. 

Step 4: KEV Catalog Inclusion  

Approved vulnerabilities are officially added to the CISA KEV Catalog. They are then documented in detail and made publicly available, providing a valuable resource for organizations to reference. Organizations are encouraged to use the KEV Catalog as an input to their vulnerability management prioritization framework.

Step 5: Continuous Monitoring and Updates  

The KEV Catalog is regularly updated to reflect current cybersecurity threats. This ensures the catalog remains a dynamic and up-to-date resource for addressing known exploited vulnerabilities, providing the most relevant information for effective remediation efforts. Staying in the loop on these known exploited vulnerabilities is done by subscribing to KEV updates on the CISA KEV Catalog website.

KEV Catalog Inclusion Criteria

A vulnerability must meet three specific requirements to qualify as a KEV.

  1. It must be assigned a CVE ID.
  2. There must be evidence of active exploitation, which can manifest in various scenarios such as honeypots, ransomware campaigns, or other malicious activities. It’s important to note that CISA differentiates between vulnerabilities that have been actively exploited and those that theoretically can be exploited. Security research of an exploit, scanning, and proof of concept do not qualify as examples of active exploitation. 
  3. There must be clear remediation guidance. CISA won’t add a vulnerability to the KEV list until there is concrete action for impacted organizations to take.

Using the KEV Catalog for Vulnerability Prioritization

Although only federal agencies are required to remediate vulnerabilities in the CISA KEV Catalog, all organizations should consider using it to help with vulnerability prioritization. Here’s an example of how you might use the KEV list alongside other prioritization inputs:

  1. Start by filtering vulnerabilities so that you’re focused only on issues impacting direct dependencies (which can generally be more easily remediated than issues impacting transitive dependencies). 
  2. Then, filter by CVSS score — as an example, you might decide to focus on 7.0 High and above, but different organizations have different risk tolerances. 
  3. Next, narrow your list to focus on the vulnerabilities with a fix available — you may also decide to start with fixes that are either patches or minor upgrades since those introduce the fewest breaking changes.
  4. From there, focus on KEV Catalog vulnerabilities.
  5. Finally, sort by EPSS Score to prioritize within the detected KEV CVEs.

Prioritizing Vulnerabilities with FOSSA

FOSSA's platform makes it easy for organizations to use the CISA KEV Catalog (along with the other inputs described in the previous section) to prioritize vulnerabilities. Here’s how it works. 

  1. Log into your FOSSA account. 
  2. Go to the Issues: Security tab in the header menu.
  3. Check the “Direct” dependency box (in the right-side menu) to exclude transitive dependencies.
  4. Use the “Severity” module (in the right-side menu) to filter by CVSS score based on your desired risk tolerance.
  5. Check the “Has Fix” box (in the “Upgrade Distance” module in the right-side menu); consider scoping to “patch” or “minor” fix.
  6. Select the “Known Exploit” box (in the “Exploit Maturity module in the right-side menu) — this is how FOSSA communicates whether a vulnerability is on the KEV list.
  7. Select “Highest EPSS” in the “sort by” dropdown in the top menu, sorted by “Highest Severity” by default.
How to prioritize vulnerabilities with FOSSA's product

Note: The CISA KEV Catalog is a great starting place to prioritize the highest-impact vulnerabilities, but is insufficient in isolation. We encourage organizations to continuously remediate all vulnerabilities within their risk profile.

Conclusion and Recommendations

The CISA KEV Catalog is a valuable input that can help application security teams focus on the most pressing vulnerabilities. Since KEV only includes vulnerabilities with evidence of real-world exploitation, it’s a great complement to other vulnerability metrics that focus more on severity. Ultimately, federal agencies, private sector companies, and other organizations all benefit from the actionable insights and timely updates offered by the KEV list.

For additional perspective on using the KEV Catalog alongside other vulnerabilities prioritization inputs — and to get a demo of how you can use FOSSA to focus on the vulnerabilities that matter most — get in touch with our team by filling out the form on this page.

CISA KEV List FAQs

What is the purpose of the CISA KEV Catalog?

The CISA KEV Catalog provides a centralized list of actively exploited vulnerabilities, helping federal agencies and private sector entities prioritize remediation efforts to mitigate the most critical threats promptly.

Are federal entities required to remediate KEVs?

Yes, federal entities must remediate KEVs within specified timeframes as mandated by the BOD 22-01. The goal to is ensure agencies quickly address critical vulnerabilities, strengthening the security of federal information systems in the process.

How does CISA decide whether to list a vulnerability in the KEV Catalog?

A vulnerability can be listed in the KEV Catalog if it has:

1. An assigned Common Vulnerabilities and Exposures (CVE) ID
2. Reliable evidence of active exploitation in the wild
3. Clear remediation actions, such as vendor-provided updates

How can organizations sign up for KEV Catalog updates?

Organizations can get the latest CISA KEV updates through the CISA KEV Catalog website. Just click the ‘Subscribe Now’ icon at the bottom of the page and enter your email address.