What is the CISA Known Exploited Vulnerabilities (KEV) catalog?

The KEV catalog is a continuously updated CISA list of vulnerabilities known to be actively exploited in the wild. Federal civilian agencies are required to patch listed vulnerabilities by specified deadlines under Binding Operational Directive 22-01.

How do I report a cyber incident to CISA?

Through report.cisa.gov, regional CISA Cybersecurity Advisors, or the Joint Cyber Defense Collaborative (JCDC) for critical infrastructure entities. Reporting is voluntary today; CIRCIA will make it mandatory for covered entities once the final rule takes effect.

Is reporting to CISA confidential?

Yes. CISA reports are protected from disclosure under the Protected Critical Infrastructure Information (PCII) program and CIRCIA's confidentiality provisions. They are not subject to FOIA or used for enforcement actions against the reporting entity.

Does CISA do attribution?

Limited public attribution. CISA publishes joint advisories with FBI, NSA, and international partners attributing campaigns to nation-state actors. Formal U.S. government attribution typically comes from the State Department or FBI; CISA's role is technical coordination.

CISA - Cybersecurity and Infrastructure Security Agency

Q: What is CISA?

CISA (Cybersecurity and Infrastructure Security Agency) is the U.S. federal agency responsible for protecting civilian critical infrastructure from cyber and physical threats. It operates within the Department of Homeland Security and was established by the CISA Act of 2018.

The Cybersecurity and Infrastructure Security Agency (CISA) is the U.S. federal agency responsible for protecting civilian critical infrastructure from cyber and physical threats. Established by the Cybersecurity and Infrastructure Security Agency Act of 2018, CISA operates within the Department of Homeland Security and serves as the U.S. national coordinator for critical infrastructure security and resilience.

Source: cisa.gov. Established by the CISA Act of 2018 (H.R. 3359).

CISA's Core Programs

Known Exploited Vulnerabilities (KEV) Catalog: a continuously updated list of vulnerabilities known to be actively exploited, with required patching deadlines for U.S. federal civilian agencies
Binding Operational Directives (BODs): mandatory requirements for federal civilian agencies, including BOD 22-01 (KEV patching) and BOD 23-02 (exposed management interfaces)
Joint Cyber Defense Collaborative (JCDC): public-private operational collaboration for cyber defense
StopRansomware.gov: ransomware-focused resources and reporting portal
CIRCIA: incident and ransom payment reporting program for critical infrastructure

Reporting Incidents to CISA

Critical infrastructure entities can report incidents to CISA voluntarily today and will be required to do so under CIRCIA once the final rule takes effect. Reports go through report.cisa.gov, regional CISA Cybersecurity Advisors, or the JCDC channel. CISA provides incident coordination and threat intelligence in return for reports.

CISA and Other Agencies

CISA coordinates with the FBI (Cyber Division and IC3), Secret Service (financial cybercrime), NSA (signals intelligence and U.S. government cyber defense), and sector-specific agencies (HHS for healthcare, FERC and DOE for energy, FDIC and OCC for banking, FAA for aviation). FBI engagement is required for active investigations; CISA engagement is appropriate for technical incident coordination.

Coordinate with CISA from one platform

IR-OS supports CISA reporting workflows, KEV-driven patch prioritization, and the CIRCIA 72-hour and 24-hour deadlines.

Start free

CISA - Cybersecurity and Infrastructure Security Agency

CISA's Core Programs

Reporting Incidents to CISA

CISA and Other Agencies

Related Terms

Coordinate with CISA from one platform