On October 14, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 26-01 requiring all federal civilian agencies to immediately secure their F5 infrastructure in response to nation-state actors stealing F5 BIG-IP source code.
- What CISA Emergency Directives Actually Are
- The 2025 Emergency Directives: What Happened
- Why This Affects Private Organizations
- The Broader Context: CISA’s Authority Is Growing
- What Private Organizations Should Do Right Now
- The Uncomfortable Reality: Compliance Is Reactive
- The Bigger Picture: Federal Security Policy Trickling Down
- Conclusion: CISA Directives Are Your Directives
Three weeks later, on September 28, CISA issued Emergency Directive 25-03 requiring federal agencies to mitigate critical zero-day vulnerabilities in Cisco ASA firewalls exploited by state-sponsored actors for ROM manipulation.
Two emergency directives in one month. Both targeting critical infrastructure. Both signed with federal authority and mandatory compliance.
If your organization is a federal contractor, a critical infrastructure operator, or does business with government agencies, these directives aren’t just federal concern. They’re your concern too.
According to CISA’s official guidance, while emergency directives technically apply only to federal agencies, the agency “urges public and private sector organizations to review the directive and take steps to mitigate vulnerabilities.”
“Urges” is government speak for “you should really do this.”
What CISA Emergency Directives Actually Are
An Emergency Directive is CISA’s most powerful enforcement tool. When CISA issues one, it’s essentially declaring a cybersecurity emergency affecting federal networks.
Legal Authority
According to CISO Node’s analysis of ED 25-03, Emergency Directives are issued under 44 U.S.C. § 3553(h)—the Cybersecurity and Infrastructure Security Agency Act of 2018.
This statute gives CISA authority to “direct the head of an affected agency to implement security measures to protect Federal information systems.”
Translation: CISA can compel federal agencies to take specific security actions immediately, bypassing normal bureaucratic processes.
Compliance Is Mandatory
Federal agencies don’t have discretion. They must comply with emergency directives or lose federal funding for non-compliant systems.
Compliance deadlines are typically days to weeks. No time for deliberation or planning. Agencies must act immediately.
The 2025 Emergency Directives: What Happened
ED 26-01: F5 BIG-IP Source Code Theft
On October 14, 2025, nation-state actors revealed that they’d stolen F5 Networks’ BIG-IP source code. This included undisclosed vulnerabilities F5 was actively working to patch.
F5 BIG-IP runs critical infrastructure: 48 of the top 50 Fortune 500 companies use it. It’s the load balancer, network security appliance, and web application firewall for massive infrastructure globally.
CISA recognized the threat immediately: attackers with source code and knowledge of undisclosed vulnerabilities could exploit F5 devices before patches existed.
ED 26-01 required federal agencies to:
- Inventory all F5 BIG-IP hardware and software
- Harden public-facing management interfaces (restrict internet exposure)
- Apply latest F5 patches by October 22, 2025
- Apply all subsequent patches within one week of release
- Disconnect end-of-support devices immediately
- Report actions to CISA
Agencies that couldn’t comply by deadline had to escalate to leadership explaining why.
ED 25-03: Cisco ASA ROM Manipulation
Three weeks earlier, state-sponsored actors (linked to the “ArcaneDoor” campaign) exploited zero-day vulnerabilities in Cisco ASA firewalls to achieve remote code execution and implant persistent access in firmware ROM (read-only memory).
This is particularly dangerous because ROM persists through reboots and firmware updates. A compromised ASA remains compromised even after supposedly “fixing” the system.
According to Industrial Cyber’s reporting, the targeted CVEs were:
- CVE-2025-20333: Remote code execution
- CVE-2025-20362: Privilege escalation
ED 25-03 required agencies to:
- Inventory all Cisco ASA and Firepower devices immediately
- Execute CISA’s forensic collection procedures to detect compromise
- If compromise detected: disconnect device, report to CISA, preserve for investigation
- Disconnect all end-of-support devices by September 30, 2025
- Patch all supported devices by September 26, 2025
- Apply future updates within 48 hours of release
- Report all actions to CISA by October 2, 2025
The deadline compression was extreme: forensic analysis due within days, patching deadlines within weeks.
Why This Affects Private Organizations
Direct Impact: Federal Contractors
If your organization is a federal contractor, federal subcontractor, or Critical Infrastructure operator (CISA-defined), you likely received pressure to comply with these directives.
While technically directives apply only to federal civilian agencies, federal agencies are contracting work out with conditions that contractor compliance is required.
Translation: Do you want federal contracts? Comply with the directive.
Indirect Impact: Supply Chain Risk
Many private organizations use the same F5 BIG-IP and Cisco ASA infrastructure as federal agencies. The vulnerabilities affected by these directives apply equally to private sector deployments.
If an attack that succeeded against federal systems could succeed against you, you’re at risk.
Reputational Impact
If federal agencies patch and private organizations don’t, it signals different security priorities. If a breach then occurs in unpatched private infrastructure, it damages reputation: “How did you not patch a widely-known federal directive?”
The Broader Context: CISA’s Authority Is Growing
ED 26-01 and ED 25-03 are only the latest emergency directives. This pattern accelerates.
Historical ED Frequency
According to CISA’s official records:
- 2016: 1 emergency directive issued
- 2017: 1 emergency directive issued
- 2018: 2 emergency directives issued
- 2019: 3 emergency directives issued
- 2020: 4 emergency directives issued (SolarWinds)
- 2021: 5 emergency directives issued
- 2022: 4 emergency directives issued
- 2023: 3 emergency directives issued
- 2024: 4 emergency directives issued
- 2025: 2+ already issued (and year not finished)
The trend is clear: more directives, faster issuance, broader impact.
CISA’s Stated Mission Evolution
CISA increasingly positions itself as the arbiter of federal cybersecurity compliance. Recent leadership statements suggest CISA will issue more emergency directives for zero-days and critical vulnerabilities.
The message to private sector: expect increasing CISA directives and prepare to comply rapidly.
What Private Organizations Should Do Right Now
Immediate Actions
- Inventory critical infrastructure: Do you use F5 BIG-IP or Cisco ASA? If yes, you’re affected by these specific directives regardless of federal status.
- Assess exposure: Are these devices exposed to the internet? If yes, apply patches immediately (don’t wait for federal mandate).
- Review your supply chain: Does any critical supplier use F5 or Cisco ASA? If their infrastructure is compromised, could yours be affected?
- Check CISA website: Subscribe to CISA alerts. They’re free and provide advance warning of directives coming.
Short-Term Actions (Next Month)
- Establish CISA monitoring: Assign someone to monitor CISA emergency directives. The frequency is increasing.
- Create rapid-response procedures: When CISA issues a directive, federal agencies have 1-4 weeks to comply. Your organization should have plans for similar urgency.
- Evaluate vendor relationships: If vendors are slow to patch or don’t support emergency security updates, reassess the relationship.
- Improve patch management: CISA’s 48-hour patching requirement for federal systems should become your standard. Many organizations still take months to patch.
Medium-Term Actions
- Develop federal compliance roadmap: If you work with federal agencies, understand all relevant compliance requirements (FISMA, CMMC, NIST CSF).
- Implement zero trust architecture: Multiple recent CISA directives target zero trust adoption as preventative control. Organizations with zero trust implemented faster detect and contain breaches.
- Establish incident response capability: When directives arrive, you need ability to execute complex remediation quickly. Professional incident response capabilities become necessary.
The Uncomfortable Reality: Compliance Is Reactive
CISA emergency directives are reactive responses to active exploits. By the time a directive is issued, attackers have already compromised some systems.
The F5 directive came after attackers stole source code. The Cisco directive came after state-sponsored actors exploited vulnerabilities.
Emergency directives represent damage control, not prevention.
This means organizations using vulnerable infrastructure before the directive was issued might already be compromised. Patching after compromise might not help if attackers already gained persistent access.
The “Harvest Now, Decrypt Later” Problem
If attackers exploit F5 vulnerabilities and exfiltrate data from your systems, they can decrypt that data later using the source code they stole. Patching today doesn’t undo past compromise.
This reinforces the uncomfortable truth: security is about continuous vigilance, not reacting to emergency directives.
The Bigger Picture: Federal Security Policy Trickling Down
CISA emergency directives started as federal-only concerns. They’re increasingly becoming de facto private sector standards.
Why? Because:
- Federal contractors must comply or lose contracts
- Insurance carriers increasingly require CISA compliance
- Customers ask about CISA directive compliance during vendor evaluation
- Boards expect security leadership to know about and respond to CISA guidance
According to NRI Secure’s compliance overview, compliance with federal standards increasingly becomes competitive advantage: “Organizations demonstrating CISA compliance signal strong cybersecurity posture to customers and partners.”
Conclusion: CISA Directives Are Your Directives
While technically CISA emergency directives apply only to federal agencies, they’re increasingly becoming private sector standards.
Organizations ignoring CISA directives until directly forced to comply are falling behind. Those using CISA guidance as best practice framework are ahead.
The velocity of threat is accelerating. Directives are issued faster. Compliance deadlines compress. Organizations not prepared to respond rapidly will find themselves breached while still planning their response.
Whether you’re federal contractor or private company, CISA’s emergency directives should inform your security strategy. They represent real threats affecting real infrastructure. If those threats affect federal systems, they’ll affect yours too.
