CISA KEV Catalog: How to Use It to Prioritize Your Patch Pipeline

Compliance

The CISA KEV catalog is the highest-signal free patching resource available. Here is how entries are selected, what federal SLA mandates require, and how to integrate it.

By Arjun Raghavan, Security & Systems Lead, BIPI · November 11, 2024 · 8 min read

The CISA Known Exploited Vulnerabilities (KEV) catalog is a curated, continuously updated list of vulnerabilities that have confirmed active exploitation evidence. Maintained by the Cybersecurity and Infrastructure Security Agency, it was introduced in November 2021 under Binding Operational Directive 22-01. As of mid-2024, the catalog contains over 1,100 entries spanning multiple decades of CVEs.

How a CVE Gets Added to KEV

CISA applies three criteria before adding a CVE to the KEV catalog: the vulnerability must have a CVE ID assigned, there must be credible evidence of active exploitation in the wild, and clear remediation guidance must exist. CISA draws evidence from threat intelligence partners, incident response data, commercial feeds, and government agency reporting. Critically, KEV is not based on CVSS score alone. Many high-CVSS CVEs are never added because they lack confirmed exploitation evidence, and several lower-CVSS CVEs are added because they are being actively weaponized.

What the Federal SLA Mandate Means

Binding Operational Directive 22-01 requires all Federal Civilian Executive Branch (FCEB) agencies to remediate KEV-listed vulnerabilities within defined timeframes: typically 14 days for vulnerabilities added with a standard window and as few as 72 hours under Emergency Directive. Agencies must report compliance to CISA and can face mandated network disconnection for non-compliance. The BOD applies to all federal civilian agencies but does not have direct legal force over state governments, local governments, or private sector organizations.

A CVE with a CVSS score of 6.5 that is actively being used by ransomware operators is more dangerous in practice than a CVSS 9.8 vulnerability with no known exploitation tooling. KEV captures this distinction; CVSS alone does not.

How Enterprise Teams Can Use KEV

1. Subscribe to the KEV RSS feed or JSON download and ingest it into your vulnerability management platform
2. Create an automatic SLA tier: any KEV entry on an internet-facing asset requires patch within 7 days
3. Cross-reference KEV with your asset inventory to identify affected systems immediately upon new additions
4. Use KEV to override scanner-severity prioritization when CVSS disagrees with exploitation reality
5. Include KEV coverage rate as a board-level security metric: what percentage of KEV entries are remediated within SLA

KEV and CVSS: Why They Give Different Signals

CVSS measures theoretical severity based on attack vector, complexity, and impact scope. It does not measure whether anyone is actually exploiting the vulnerability. KEV measures confirmed exploitation reality. The two signals are complementary. A mature vulnerability management program filters its remediation backlog using both: patch KEV entries on production systems first, then work through remaining high-CVSS vulnerabilities in order of exposure and business criticality.

Integrating KEV into Your Vulnerability Management Program

• Tenable, Qualys, Rapid7, and Wiz all support KEV filtering natively in their dashboards
• The KEV catalog is available as a machine-readable JSON at cisa.gov/known-exploited-vulnerabilities-catalog
• SSVC (Stakeholder-Specific Vulnerability Categorization) from CISA uses KEV as an exploitation-evidence input
• Include KEV coverage in vendor security assessments and third-party risk questionnaires
• Build KEV addition as a trigger in your ITSM workflow to auto-create P1 tickets for affected assets

Limitations of the KEV Catalog

KEV is retrospective: a CVE is added after exploitation is confirmed, not before. For organizations facing sophisticated threat actors, KEV provides a floor, not a ceiling, for patching priority. Emerging zero-days may be actively exploited for weeks or months before CISA has sufficient evidence for inclusion. Pair KEV with threat intelligence subscriptions that track active exploit tool developments to reduce this lag.

Building a KEV-Aligned Patch Program

1. Define explicit SLA tiers: KEV on internet-facing (7 days), KEV on internal (21 days), non-KEV critical (30 days)
2. Automate KEV ingestion into your vulnerability scanner and ITSM tool
3. Report KEV compliance rate monthly to security leadership
4. Conduct quarterly exercises where you simulate a new KEV addition and measure time-to-patch
5. Use KEV exemption process for systems that cannot be patched to document accepted risk formally

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.