Is KEV machine-readable?

Yes, CISA publishes the catalog as a JSON feed and a CSV at cisa.gov/kev. Most SBOM tooling can subscribe to it directly.

Does FDA require KEV monitoring?

Not by name. But FDA's premarket cybersecurity guidance and Section 524B post-market authority require manufacturers to monitor for exploited vulnerabilities, KEV is the most authoritative public source for that.

All terms

CybersecurityConnected & Cyber-Physical DevicesKEV

CISA Known Exploited Vulnerabilities Catalog

CISA's authoritative list of CVEs with confirmed in-the-wild exploitation, with mandatory federal remediation deadlines.

Reviewed by Christian Espinosa, Founder, Blue Goat CyberLast reviewed June 20, 2026

Definition

The Known Exploited Vulnerabilities (KEV) Catalog is a continuously updated list maintained by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) of Common Vulnerabilities and Exposures (CVEs) that are being actively exploited in the wild. Each entry includes the CVE ID, vendor/product, vulnerability name, the date added, a required-action date (typically 21 days for federal civilian agencies under Binding Operational Directive 22-01), and notes on whether the vulnerability is known to be used in ransomware campaigns. KEV is widely adopted outside the federal sector as a high-confidence prioritization signal: a vulnerability on KEV is, by definition, no longer theoretical.

What the regulation says

CISA Binding Operational Directive 22-01 makes KEV remediation mandatory for federal civilian executive branch agencies. FDA's premarket cybersecurity guidance and Section 524B post-market expectations cite KEV-style exploited-in-the-wild status as the highest tier of vulnerability that manufacturers' post-market plans must address quickly.

What this means in practice

For medical device manufacturers, KEV is the single most actionable input to vulnerability prioritization. A CVE on KEV that affects a component listed in your SBOM should trigger immediate triage, well ahead of generic CVSS scoring. KEV inclusion also frequently appears in CISA ICS Medical Advisories and informs FDA's expectations under Section 524B for a 'plan to monitor, identify, and address' post-market vulnerabilities.

Common pitfalls

•Treating CVSS score as a substitute for KEV status, many critical-CVSS bugs are never exploited; many medium-CVSS bugs on KEV are devastating.
•Polling KEV manually instead of automating ingestion of the official JSON feed and cross-referencing it with your SBOM.
•Assuming the 21-day federal timeline doesn't apply to private hospitals, many health systems contractually require vendor remediation on the KEV cadence.

Frequently asked questions

Three criteria must all be met: the vulnerability has a CVE ID, there is reliable evidence of active exploitation in the wild, and there is clear remediation guidance (usually a vendor patch).

Primary references

3 sources

Link health: 3 verified· last checked 2026-06-20

Inline markers like [1] jump to the matching reference above.

On this term

Category: Cybersecurity
Acronym: KEV
Sources: 3
Updated: 6/20/2026

Compare with another term

Learn in 60 seconds

CISA's authoritative list of CVEs with confirmed in-the-wild exploitation, with mandatory federal remediation deadlines.

·For medical device manufacturers, KEV is the single most actionable input to vulnerability prioritization.
·A CVE on KEV that affects a component listed in your SBOM should trigger immediate triage, well ahead of generic CVSS scoring.
·KEV inclusion also frequently appears in CISA ICS Medical Advisories and informs FDA's expectations under Section 524B for a 'plan to monitor, identify, and address' post-market vulnerabilities.

Remember this

Watch out: Treating CVSS score as a substitute for KEV status, many critical-CVSS bugs are never exploited; many medium-CVSS bugs on KEV are devastating.

Related terms

You may also need

Auto-suggested from Cybersecurity and shared keywords.

All Cybersecurity terms

From the Blue Goat network

Related resources and services on this topic.