U.S. flag

An official website of the United States government

Mountain background

Focus on FedRAMP® Blog

Discover what’s happening in the FedRAMP world.

Responding to CISA Emergency Directive 25-03

Responding to CISA Emergency Directive 25-03

September 29th, 2025

On Friday, September 26, 2025, FedRAMP sent emails to all FedRAMP Authorized cloud providers, informing them of the actions that need to be taken from the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03 (ED-25-03), “Identify and Mitigate Potential Compromise of Cisco Devices” (the Emergency Directive). FedRAMP used the security email addresses provided by FedRAMP Authorized cloud providers on the FedRAMP Marketplace.  

The following content was sent to FedRAMP authorized cloud providers and FedRAMP Agency Liaisons:

CISA Emergency Directive 25-03

On Friday, September 25, 2025, the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03, “Identify and Mitigate Potential Compromise of Cisco Devices” (the Emergency Directive). The Emergency Directive states the following:

CISA is aware of an ongoing exploitation campaign by an advanced threat actor targeting Cisco Adaptive Security Appliances (ASA). The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. This activity presents a significant risk to victim networks. Cisco assesses that this campaign is connected to the ArcaneDoor activity identified in early 2024 and that this threat actor has demonstrated a capability to successfully modify ASA ROM at least as early as 2024. These zero-day vulnerabilities in the Cisco ASA platform are also present in specific versions of Cisco Firepower. Firepower appliances’ Secure Boot would detect the identified manipulation of the ROM.  

CISA has assessed that the following CVEs pose an unacceptable risk to federal information systems:

CVE-2025-20333 – allows for remote code execution

CVE-2025-20362 – allows for privilege escalation

Actions Requested for Cloud Service Providers

FedRAMP Authorized cloud providers are requested to determine if their cloud service offerings have affected devices within their FedRAMP authorization boundary. 

  • If no affected devices exist, no further action is needed.

  • If affected devices exist in your environment, please document the applicability and / or actions taken for your agency customers and notify FedRAMP and agency authorizing officials.

  1. Documentation to deliver to agency customers
  • Recommended filename: ED-25-03-Response-CSP-CSO (replace “CSP-CSO” with your CSP and CSO name)

  • Recommended content:

    • Are Cisco ASA devices present within the FedRAMP boundary? [YES/NO]

    • Number / Percentage of affected devices

    • Are indicators of compromise present? [YES/NO]

    • Summary of actions taken (and to be taken) to address the relevant CVEs

    • Additional information you wish to provide to your customers

Please upload responses to your secure location that stores FedRAMP authorization data (such as USDA Connect) by 11:59 PM Eastern Standard Time on Thursday, October 2, 2025.

  1. Notifications to delivery to agency customers
  • Once the information from step (1) is available in your secure repository, please take the following actions to notify agency customers:

  • Email all agency customer Authorizing Officials (or ISSO) POCs with notification of the completed action.

  • Email FedRAMP with notification of the completed action at info@fedramp.gov using the following convention for your subject line: [CSP NAME | Package ID] - Response to ED 25-03.

  • Upload a copy of your email notifications to the incident response folder in your respective FedRAMP secure repository.

If any indication of compromise or anomalous behavior is found or there is any suspected impact to federal systems, please make sure to follow the FedRAMP Incident Communication Procedures, which includes reporting to CISA US-CERT and agency customers.

If you have any questions, please reach out to info@fedramp.gov and CyberDirectives@HQ.dhs.gov.

Guidance for Agencies

Federal agency customers can access cloud provider responses from the Incident Response folder in the cloud provider’s respective FedRAMP secure repository. Agencies should assume that a cloud service provider is not affected by the Emergency Directive if no response is uploaded or emailed. If agency personnel need access to a cloud provider’s repository to review responses, please submit a FedRAMP Package Access Request Form to package-access@fedramp.gov

References

  1. https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices

  2. https://www.cve.org/CVERecord?id=CVE-2025-20333 

  3. https://www.cve.org/CVERecord?id=CVE-2025-20362

Related FedRAMP Activities

FedRAMP recognizes the critical need to promptly disseminate information during emergencies. To ensure authorized cloud providers on the FedRAMP Marketplace are maintaining current contact information, we released RFC-0018 FedRAMP Security Inbox Requirements. The proposed standard outlines clear requirements for providers to establish and maintain a FedRAMP Security Inbox, ensuring reliable communication channels, especially during emergencies. Public comments will be accepted now through October 29, 2025.

FedRAMP.gov

official website of the GSA’s Technology Transformation Services

Looking for U.S. government information and services?
Visit USA.gov