CISA KEV Catalog
the Known Exploited Vulnerabilities framework

The CISA KEV Catalog explained

The CISA Known Exploited Vulnerabilities (KEV) Catalog is the authoritative public list of CVEs the Cybersecurity and Infrastructure Security Agency has observed in real-world attack activity. The catalog was established under Binding Operational Directive 22-01 on 3 November 2021, and it has grown into the single most useful exploitation-evidence signal a vulnerability management programme can read. It is short, it is authoritative, it is updated continuously, and every entry has been seen in attack telemetry rather than theorised in a research paper.

For internal security teams, AppSec functions, vulnerability management programmes, GRC owners, and CISOs, the KEV catalog is the answer to the question every prioritisation framework eventually asks: which of the thousands of CVEs published each year are actually being used. The catalog is not a control framework like NIST CSF 2.0, ISO 27001, or CIS Controls; it is a curated catalog plus a federal directive plus a published timeline. The framework value is in the structural discipline the catalog enforces and the cross-walk into every major cybersecurity regime operators already read against.

This page covers the BOD 22-01 mandate, the inclusion criteria, the catalog structure, the cross-walk to NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, NIS2, DORA, and CIS Controls, the audit evidence an internal KEV programme runs against, and where the catalog sits next to CVSS, EPSS, NVD, SSVC, vendor advisories, and the wider vulnerability intelligence regime. The page assumes a reader who is operating a vulnerability management programme and wants the catalog read structurally rather than as a list of CVEs.

Inclusion criteria the catalog enforces

CISA publishes explicit inclusion criteria the catalog enforces. The criteria deliberately keep the list short, defensible, and prioritisation-grade. Every entry has been seen used; programmes that read the inclusion criteria as the operating contract get a small queue rather than a long, ambiguous list.

BOD 22-01 mandate and scope

Binding Operational Directive 22-01 is the structural authority behind the KEV catalog. The directive is binding for federal civilian executive branch (FCEB) agencies and explicitly recommended as best practice for everyone else. For non-FCEB programmes operating in regulated sectors, the published timelines have become the audit-defensible reference point because no comparable public mandate carries equivalent specificity. The six structural points below name what the directive actually requires.

Catalog structure and feed cadence

The catalog is published at the CISA website and at a machine-readable JSON endpoint plus a CSV feed. Each entry carries the fields below. Programmes that ingest the JSON feed on a daily cadence catch new additions before the published due dates compound into firefighting; programmes that read the catalog only at audit time discover the operating posture has been reactive rather than continuous.

KEV next to CVSS, EPSS, NVD, and SSVC

KEV is one input in the vulnerability intelligence stack, not a replacement for the rest. The defensible operating queue reads four signals together: KEV as the binary exploitation gate, EPSS as the broader probability signal, CVSS as the severity-of-impact ranking, NVD as the CVE-and-CWE structural reference. Programmes that read KEV alone produce a tight queue but miss high-EPSS CVEs that have not yet landed on KEV; programmes that read CVSS alone produce a wide queue with no exploitation evidence; the four-signal read produces the defensible operating queue.

A practical KEV programme adoption pattern

The catalog is designed to be operated continuously rather than reviewed periodically. The cadence below is the operating pattern most KEV programmes converge on when the catalog is treated as a feed rather than a snapshot. The cycle compounds: each step inherits structure from the prior step, so the audit pack at the end of the cycle is the residue of the operating work rather than a separate compilation.

1. 1Establish the daily catalog ingestion cadence. Pull the published JSON feed (catalog-of-known-exploited-vulnerabilities.json) on a daily schedule. Capture the new additions per day, the new ransomware-campaign-use flags, and the due-date schedule. The daily cadence catches catalog growth before the FCEB due-date pressure compounds into firefighting and gives non-FCEB programmes the same operating posture the directive expects of federal agencies.
2. 2Match each catalog entry against the operating estate. Run authenticated scanning, external scanning, code scanning, and asset inventory queries to surface the affected vendor and product combinations from the catalog against the operating estate. The affected-or-not classification per entry is the input to the queue; entries that do not match the estate carry a no-applicability record so the audit conversation includes the catalog-wide read rather than only the matched subset.
3. 3Calibrate the per-entry remediation timeline against the published due date. For FCEB-aligned programmes, the published due date is the operating contract. For non-FCEB programmes, the published due date is the audit-defensible reference point; programmes that adopt the FCEB cadence treat each entry as a 14-day remediation commitment, programmes that adopt a longer cadence document the policy decision and the rationale (sector practice, vendor patch availability, change-window constraints). The policy decision sits on the operating record.
4. 4Tier the within-KEV prioritisation by ransomware-campaign-use, EPSS score, and asset criticality. Within the KEV queue, the ransomware-campaign-use flag, the EPSS score, and the asset criticality of the affected systems produce the within-queue ordering. Programmes that read KEV as a flat queue miss the within-queue prioritisation the catalog metadata supports; programmes that tier the queue produce a defensible operating order that survives leadership scrutiny.
5. 5Operate the exception register against the published timeline. Entries that cannot be remediated within the timeline (vendor patch unavailable, change-window constraints, end-of-life systems with planned decommissioning, compensating-control posture) enter a structured exception register with the documented compensating control, the named risk owner, the timeline for the structural fix, and the review cadence. Exceptions are a programme reality; what makes them defensible is the structural record rather than the absence of one.
6. 6Produce the audit evidence as a side effect of the operating cadence. The catalog ingestion log, the per-entry applicability classification, the dated remediation evidence, the exception register, and the leadership reporting cadence read together as the BOD 22-01-aligned evidence pack. The same pack reads against the ISO 27001 A.8.8 control, the SOC 2 CC7.1 and CC7.2 criteria, the PCI DSS 6.3.3 and 11.4 requirements, the NIS2 Article 21 measures, the DORA Article 9 framework, and the CIS Controls Safeguards. The audit pack is the residue of the operating work rather than a separate compilation.

Failure modes a KEV programme tends to surface

The catalog is forgiving on the choice of tooling, the per-entry tier-up rule, and the prioritisation order within the queue. It is unforgiving about a small number of patterns that turn the KEV programme cosmetic rather than operational. The patterns below recur across KEV adoptions and are the ones that erode the year-over-year continuity the audit read expects.

Evidence a KEV programme produces

The KEV evidence pack reads well when it is built as a side effect of the operating work rather than reconstructed at audit time. The minimum set below maps to the records that examiners, sector regulators, and audit committees most often read against, and the same artefacts feed parallel reads under BOD 22-01, ISO 27001, SOC 2, PCI DSS, NIS2, DORA, and CIS Controls when the underlying record is structured.

How the KEV catalog relates to adjacent regimes

The KEV catalog sits in a dense regulatory and framework neighbourhood. The relationships below are the ones programmes encounter most often when they read the KEV catalog against the rest of the cybersecurity baseline regime. The relationships matter because programmes that operate each regime in isolation rebuild the same evidence multiple times per cycle.

Where SecPortal fits in a KEV programme

SecPortal is the operating layer for the KEV cycle, not a replacement for the CISA publication or for the catalog itself. The platform handles the KEV-side workstreams (per-entry applicability classification, per-finding KEV tagging, per-entry remediation tracking, exception register, leadership reporting) so the per-entry record stays structured rather than reconstructed at audit time. The same workspace that hosts the engagement record hosts the external scanning, authenticated DAST, code scanning, and pentest evidence the per-entry applicability resolution depends on, so the line from catalog entry to per-asset remediation evidence stays traceable. The catalog ingestion itself is yours to run; SecPortal holds the operating record once the catalog has been read against the estate.

The IDENTIFY-side reading the KEV catalog expects against the operating estate connects to named workflow records on the workspace. The vulnerability prioritisation workflow translates the KEV exploitation signal and the CVSS-plus-EPSS severity into the per-finding queue the catalog drives. The vulnerability SLA management workflow carries the timeline discipline the published KEV due date reads against. The vulnerability acceptance and exception management workflow records the structured exception register for KEV entries past the published timeline with the compensating control and the named risk owner. The remediation tracking workflow carries the per-asset dated remediation evidence the BOD 22-01 audit pack reads against.

For internal teams running the KEV programme, the internal security teams workspace bundles the platform with the engagement structure the audit cadence reads against. For vulnerability management functions operating the catalog queue at scale, the vulnerability management teams workspace covers the lifecycle work that produces the operational signal the per-entry remediation evidence reads against. For CISOs and security leaders carrying the leadership-side cadence, the CISOs and security leaders workspace covers the program-level reporting model that sits on top of the KEV operating record.

For deeper operational reading on the disciplines the KEV catalog reads against, the CISA KEV catalog vulnerability management guide covers the operational rollout pattern programmes use to stand up the catalog ingestion, the per-entry tagging, and the leadership reporting cadence over a six-week window. The vulnerability intelligence operating model covers how KEV combines with EPSS, NVD, vendor advisories, and threat reporting into one written decision rule the per-finding queue reads against. The CISA Cybersecurity Performance Goals framework page covers Goal 2.O (Mitigation of Known Exploited Vulnerabilities) and the broader prioritised baseline KEV sits inside. The EPSS score explained guide covers the predictive exploitation-probability signal that pairs with KEV in the four-signal read. The SSVC categorisation guide covers the CISA-published decision-tree prioritisation methodology KEV feeds as the strongest Exploitation axis input. The vulnerability management program scorecard scores programme maturity across governance, detection, prioritisation, remediation, and verification with KEV-aligned scoring on the prioritisation axis.