Skip to main content
U.S. flag

An official website of the United States government

CISA Directives

CISA Emergency Directives

The Cybersecurity and Infrastructure Security Agency (CISA) periodically issues “Emergency Directives,” which require action by cloud.gov, as a FedRAMP-authorized service.

In response to CISA Emergency Directives, cloud.gov will:

We will no longer be publicly providing our specific directive compliance status, as future directives could apply to components in the cloud.gov system.

FY2021

CISA Emergency Directive 21-03 for Pulse Connect Secure: Not impacted

Cloud.gov has NO instances of Pulse Connect Secure

On April 20, 2021, the DHS Cybersecurity and Infrastructure Security Agency (CISA) published Emergency Directive 21-03: “Mitigate Pulse Connect Secure Product Vulnerabilities” (https://cyber.dhs.gov/ed/21-03/)

Status: The cloud.gov system has no instances of Pulse Connect Secure. We are fully compliant with ED-21-03.

CISA Emergency Directive 21-02 for Microsoft Exchange: Not impacted

cloud.gov has NO instances of Microsoft Exchange on-premises.

On March 3, 2021, the DHS Cybersecurity and Infrastructure Security Agency (CISA) published Emergency Directive 21-02: “Mitigate Microsoft Exchange On-Premises Product Vulnerabilities” (https://cyber.dhs.gov/ed/21-02/)

Status: The cloud.gov system has no instances of Microsoft Exchange on-premises. We are fully compliant with ED-21-02.

CISA Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise: Not impacted

On December 13, 2020, the DHS Cybersecurity and Infrastructure Security Agency (CISA) published Emergency Directive 21-01, “Mitigate SolarWinds Orion Code Compromise”.

We want to assure cloud.gov customers that the SolarWinds Orion code compromise is not applicable to cloud.gov. There are no SolarWinds components in the cloud.gov system.

FY2020

CISA Directive 20-04 for Netlogon Elevation of Privilege: cloud.gov is fully compliant

On September 18, 2020, the DHS Cybersecurity and Infrastructure Security Agency (CISA) published Emergency Directive 20-04, Mitigate Netlogon Elevation of Privilege Vulnerability from August 2020 Patch Tuesday.

The FedRAMP PMO requested that cloud.gov (and all CSPs) notify agency customers on our compliance status with the directive, which is that cloud.gov has zero systems impacted by this vulnerability.

CISA Directive 20-03 for Windows DNS: cloud.gov is fully compliant

On July 16, 2020, the DHS Cybersecurity and Infrastructure Security Agency (CISA) published Emergency Directive 20-03, Mitigate Windows DNS Server Vulnerability from July 2020 Patch Tuesday.

The FedRAMP PMO requested that cloud.gov (and all CSPs) notify agency customers on our compliance status with the directive, which is that cloud.gov has zero systems impacted by this vulnerability.

CISA Directive 20-02: Mitigate Windows Vulnerabilities

On January 15, 2020, the FedRAMP program office directed all authorized cloud service providers to comply with Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) Emergency Directive 20-02, Mitigate Windows Vulnerabilities from January 2020 Patch Tuesday

cloud.gov confirms that it has zero affected endpoints in the FedRAMP authorized boundary, and hence has 100% patch compliance.

Further, cloud.gov has zero affected endpoints under our management outside the boundary, e.g. in development or test environments.

We want to assure cloud.gov agency customers that their systems, and our product, have no exposure to this particular vulnerability.