CISA launched the KEV Catalog in 2021 to inform the cybersecurity community and network defenders about vulnerabilities that threat actors have already exploited. The goal of the KEV Catalog is to help organizations better manage vulnerabilities and more effectively prioritize vulnerability management.

Once a vulnerability is added to the KEV Catalog, Federal Civilian Executive Branch (FCEB) agencies, which include federal civilian executive branch departments and agencies, must remediate the vulnerability, such as by updating SharePoint with the patch Microsoft released for the most recent entry. However, statutorily defined “national security systems” or certain systems operated by the Department of Defense or the intelligence community are excluded from the requirement. Although not mandated by law, CISA strongly recommends that other organizations also use the catalog to stay up to date on current threats.

Agencies are required to remediate vulnerabilities within a specific time frame included in the KEV Catalog entry. CISA determines the time frame for each vulnerability based on its threat to the federal enterprise. Most vulnerabilities must be remediated within two weeks of issuance, but the time frame can be as short as a few days in cases of grave risk.

CISA recommends that organizations and agencies use automated vulnerability management tools that automatically incorporate and flag or prioritize KEVs. By using automated tools, organizations no longer must manually monitor the KEV, which saves time and reduces the risk of missing a critical vulnerability.