U.S. flag

An official website of the United States government

Warning Icon

Important Notice

FedRAMP is operating mission-essential functions only due to the government shutdown. Please visit fedramp.gov/shutdown for more information.
Mountain background

Focus on FedRAMP® Blog

Discover what’s happening in the FedRAMP world.

Responding to CISA Emergency Directive 26-01

Responding to CISA Emergency Directive 26-01

October 15th, 2025

On Wednesday, October 15, 2025, the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued ”Emergency Directive 26-01: Mitigate Vulnerabilities in F5 Devices.” The Emergency Directive states the following:

A nation-state affiliated cyber threat actor has compromised F5’s systems and exfiltrated files, which included a portion of its BIG-IP source code and vulnerability information. The threat actor’s access to F5’s proprietary source code could provide that threat actor with a technical advantage to exploit F5 devices and software. The threat actor’s access could enable the ability to conduct static and dynamic analysis for identification of logical flaws and zero-day vulnerabilities as well as the ability to develop targeted exploits.

This cyber threat actor presents an imminent threat to federal networks using F5 devices and software. Successful exploitation of the impacted F5 products could enable a threat actor to access embedded credentials and Application Programming Interface (API) keys, move laterally within an organization’s network, exfiltrate data, and establish persistent system access. This could potentially lead to a full compromise of target information systems.

CISA has assessed these conditions pose an unacceptable risk to agencies and necessitate immediate emergency action involving the following F5 products:

  • Hardware: BIG-IP iSeries, rSeries, or any other F5 device that has reached end of support
  • Software: All devices running BIG-IP (F5OS), BIG-IP (TMOS), Virtual Edition (VE), BIG-IP Next, BIG-IQ, and BIG-IP Next for Kubernetes (BNK)/Cloud-Native Network Functions (CNF)

ACTIONS REQUESTED FOR CLOUD SERVICE PROVIDERS

FedRAMP Authorized cloud service offerings are requested to determine if there are affected devices within their FedRAMP authorization boundary. If no affected devices exist, no further action is required and you may disregard the rest of this message (you may optionally report that your cloud service is not affected).

If affected devices exist in your environment please take the following steps:

(1) Immediate vulnerability response action must be completed by Wednesday, October 22, 2025 to patch or otherwise address the potential adverse impact on affected devices, including:

  • Identify if management interfaces on affected devices are accessible via the public internet; if so, remove, harden or otherwise mitigate the risk of public accessibility as quickly as possible
  • Apply the latest vendor supplied patches on affected devices
  • If affected devices have passed end of support, disconnect and decommission such devices

Recommended filename:

  • ED-26-01-Response-[CSP name]-[CSO name]
  • Note: Please replace the CSP and CSO name placeholders with your corresponding information.

Recommended content:

  • Are affected devices present within the FedRAMP boundary? [YES/NO]
  • For all affected devices, identify if the networked management interface is accessible directly from the public internet
  • Summary of actions taken (and to be taken)
  • Additional information you wish to provide to your customers

(3) Once the information from step (2) is available in your secure repository, please take the following actions to notify agency customers:

  • Email all agency customer Authorizing Officials (or ISSO) POCs with notification of the completed action.
  • Email the FedRAMP PMO with notification of the completed action at info@fedramp.gov using the following convention for your subject line: [CSP NAME | Package ID] - Response to ED 26-01.
  • Upload a copy of your email notifications to the incident response folder in your respective FedRAMP secure repository.

If any indication of compromise or anomalous behavior is found or there is any suspected impact to federal systems, please make sure to follow the FedRAMP Incident Communication Procedures, which includes reporting to CISA US-CERT and agency customers.

If you have any questions, please reach out to info@fedramp.gov and CyberDirectives@cisa.dhs.gov.

GUIDANCE FOR AGENCIES

Federal agency customers can access the CSP responses from the Incident Response folder in the CSP’s respective FedRAMP secure repository. Agencies should assume that a cloud service provider is not affected by the Emergency Directive if no response is uploaded or emailed. If agency personnel need access to a CSP’s repository for review, please submit a FedRAMP Package Access Request Form to package-access@fedramp.gov.

References

  1. https://www.cisa.gov/news-events/directives/ed-26-01-mitigate-vulnerabilities-f5-devices

FedRAMP.gov

official website of the GSA’s Technology Transformation Services

Looking for U.S. government information and services?
Visit USA.gov