CISA Known Exploited Vulnerabilities are remediated on priority timelines

Implementation steps

1. 1

   Subscribe to the CISA KEV catalog and cross-reference your asset inventory

   Pull the KEV catalog feed at least daily, either through your vulnerability scanner's integration or by subscribing to the CISA RSS feed or JSON feed directly. Configure your scanner to flag findings that match KEV entries distinctly from other findings. Any KEV match on any system should trigger an immediate alert to your security team.

   tenable qualys rapid7 cisa-kev-feed crowdstrike-spotlight
2. 2

   Establish and enforce KEV remediation timelines

   Set a remediation SLA for KEV findings. CISA recommends two weeks for most, but adjust based on your risk tolerance and system criticality. For internet-facing systems, target 48-72 hours. Create a mandatory escalation path: if a KEV finding is not remediated by the deadline, it escalates to the CISO or engineering leadership. Track all open KEV findings in your ticketing system.

   jira servicenow tenable qualys pagerduty
3. 3

   Implement compensating controls when patching is not immediately possible

   When a patch is not available or patching will be delayed, apply compensating controls. This may include disabling the affected service, applying a WAF rule, restricting network access to the affected system, or enabling enhanced monitoring. Document the compensating control, its expiry date, and the plan to patch. Do not leave compensating controls in place indefinitely.

   aws-waf cloudflare palo-alto crowdstrike confluence

Evidence required