U.S. flag

An official website of the United States government

Mountain background

Notice Thumbnail

Emergency Directive 26-03 Mitigate Vulnerabilities in Cisco-SD WAN Systems

NTC-0006 published at Wed, 25 Feb 2026 22:55:00 GMT // Markdown Version

The following email is being sent by FedRAMP to all cloud service providers in the FedRAMP Marketplace on the evening of February 25, 2026.

Subject Line: Emergency: FedRAMP Response to CISA ED 26-03

This is a real emergency and action is required in response to CISA Emergency Directive 26-03: Mitigate Vulnerabilities in Cisco-SD WAN Systems. This is NOT a test.

FedRAMP has been tasked with ensuring all federal agencies have the information they need from cloud services to respond to this Emergency Directive. This will avoid massive duplicative work for agencies and all cloud services.

Providers MUST complete all required actions and report status to FedRAMP (Step 7) by 5:00 PM ET February 27, 2026 regardless of impact level (this timeline has been set by CISA, not FedRAMP).

PLEASE URGENTLY TAKE THE FOLLOWING REQUIRED ACTIONS IN ORDER!

  1. Providers MUST review Emergency Directive 26-03 to understand affected systems.

  2. Providers MUST identify all in-scope affected systems (Cisco SD-WAN) within the FedRAMP-authorized boundary for their cloud service offering(s).

    If no in-scope systems are identified, skip to step 7.

  3. Providers SHOULD collect logs from affected systems as outlined in the Collect section of the Emergency Directive to assist with hunt activities.

  4. Providers MUST apply Cisco-provided updates to all of the CVEs identified in the Emergency Directive by 5:00 PM ET February 27, 2026.

  5. Providers SHOULD perform hunt and hardening activities as recommended by Supplemental Direction ED 26-03: Hunt and Hardening Guidance for Cisco SD-WAN Systems.

  6. Providers MUST upload supplemental information to the Incident Response folder in the FedRAMP repository and notify all agency customer Authorizing Official (or ISSO) POCs with notification of the completed action(s).

    • File Format

      Files should be compatible with modern spreadsheet applications. Acceptable file formats are Comma Separated Values (csv) or Microsoft Excel (xlsx).

    • Filename

      ED-26-03-Response-[FRID]

      Note: Please replace the [FRID] placeholder with your corresponding information.

    • Recommended content

      • List of the type(s) of affected systems.
      • Summary of actions taken and results, including the collection of artifacts, patching, and hunting actions.
      • Additional information you wish to provide to customers

  7. Complete FedRAMP’s Emergency Directive 26-03 Response Form by 5:00 PM ET February 27, 2026. (the URL for this form was emailed to cloud service providers directly)

Corrective Action

Corrective actions based on the Security Inbox process DO NOT apply to this notification due to previously announced testing timelines.

Corrective actions MAY apply based on Incident Response or Continuous Monitoring deficiencies relating to this Emergency Directive Response.

Additional Background

If any indication of compromise or anomalous behavior is found or there is any suspected impact to federal systems, please make sure to follow the FedRAMP Incident Communication Procedures, which includes reporting to CISA US-CERT and agency customers.

If you have any questions, please reach out to info@fedramp.gov and CyberDirectives@cisa.dhs.gov.

FedRAMP.gov

official website of the GSA’s Technology Transformation Services

Looking for U.S. government information and services?
Visit USA.gov