CISA Launches Initiative for Public Nomination to Known Exploited Vulnerabilities (KEV) Catalog

Executive Summary

On May 21, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced a significant evolution in its vulnerability management strategy by launching a public submission process for its Known Exploited Vulnerabilities (KEV) catalog. This new initiative allows any party, including security vendors, researchers, and organizations, to submit vulnerabilities they have observed being actively exploited. The goal is to enhance the timeliness and scope of the KEV catalog, which is central to Binding Operational Directive (BOD) 22-01. By crowdsourcing threat intelligence, CISA aims to accelerate the identification and remediation of critical risks across Federal Civilian Executive Branch (FCEB) agencies and the broader public and private sectors, transforming the KEV from a potential lagging indicator into a more real-time defensive tool.

Regulatory Details

The new process is facilitated through a web form on CISA's website. Submitters are required to provide specific information to validate the submission, including:

• The CVE number of the vulnerability.
• Concrete evidence of active exploitation (e.g., log files, forensic reports, public threat intelligence reports).
• Details on whether the vulnerability affects multiple vendors or products, indicating a systemic risk.
• Any available mitigation guidance.

This initiative directly supports BOD 22-01, which mandates that FCEB agencies remediate vulnerabilities listed in the KEV catalog within specified timeframes. While the directive is only mandatory for federal agencies, the KEV catalog is widely regarded as a best-practice prioritization tool for all organizations. The public submission process is designed to make this tool more effective by incorporating a wider range of data sources beyond CISA's own intelligence gathering.

Affected Organizations

• Directly Affected: U.S. Federal Civilian Executive Branch (FCEB) agencies, which are bound by BOD 22-01.
• Indirectly Affected: All public and private sector organizations worldwide. CISA strongly encourages these entities to use the KEV catalog to prioritize their own vulnerability management efforts. The enhanced accuracy and timeliness of the catalog will benefit any organization that uses it for risk management.
• Contributors: The entire cybersecurity ecosystem, including security researchers, technology vendors, bug bounty hunters, and incident response firms, are now formally invited to contribute.

Compliance Requirements

For FCEB agencies, the compliance requirement remains unchanged: they must remediate any vulnerability added to the KEV catalog by the specified due date. This new submission process does not alter that obligation but may increase the frequency of updates to the catalog. For private organizations, there are no direct compliance requirements, but aligning patching priorities with the KEV is a widely adopted best practice and is often expected by cyber insurance providers and regulators.

Implementation Timeline

The public submission form was made available on May 21, 2026, and is active immediately. There is no end date for this initiative. CISA will review submissions on an ongoing basis and, upon successful validation of active exploitation, will add the corresponding CVE to the KEV catalog with a defined remediation deadline.

Impact Assessment

This policy change is expected to have a significant positive impact on the nation's collective cybersecurity posture. By decentralizing intelligence gathering, CISA can tap into the vast network of security professionals who have frontline visibility into emerging threats. This should reduce the time between the discovery of an exploit in the wild and its inclusion in the KEV, shrinking the window of opportunity for attackers. For organizations, this means the KEV catalog will become an even more critical and dynamic tool for prioritizing the vast number of vulnerabilities disclosed each year. However, it may also increase the operational tempo for security teams, as more vulnerabilities could be added to the high-priority list more frequently.

Compliance Guidance

1. Monitor the KEV Catalog: All organizations, not just federal agencies, should integrate the KEV catalog into their vulnerability management workflow. Subscribe to CISA's alerts and automated feeds for KEV updates.
2. Establish a Rapid Patching Process: Develop and test a process for rapidly deploying patches for KEV-listed vulnerabilities. This should be treated as an incident response-level activity, not standard operational patching.
3. Contribute to the Program: Organizations with threat intelligence or incident response capabilities should consider establishing a process to submit evidence of new exploits to CISA. Contributing to the ecosystem provides a collective benefit and can help get critical vulnerabilities patched more widely, reducing overall risk.
4. Update Prioritization Models: Adjust vulnerability prioritization models to assign the highest weight to any CVE that appears in the KEV catalog. This should override standard CVSS-based scoring, as the KEV provides definitive proof of active risk.