KEV

KEV-to-Risk Kit (Cities/Counties)

Turn CISA’s Known Exploited Vulnerabilities (KEV) into an exec-friendly risk conversation and an IT remediation plan.

Executive Summary (1 page)

Responsible use: adapt to your environment; don’t paste sensitive system data into templates; validate with policy/counsel as appropriate.

Why KEV matters

KEV is not theoretical—these vulnerabilities are exploited in the wild.
It’s a high-signal prioritization list for patching and mitigations.

What leadership should ask for

Which KEVs affect internet-facing systems?
What’s the remediation plan and timeline (7/14/30)?
What exceptions require risk acceptance + compensating controls?

Cadence

Monthly review + out-of-band addendum when KEV touches edge infrastructure.

What you get

5-slide executive deck (Markdown outline)
IT action sheet (track CVEs → owners → SLAs → status)
Patch SLA table (simple 7/14/30 rule-set)

Links

Exec deck (Markdown): slides/kev-to-risk-pack/KEV_TO_RISK_DECK.md
IT action sheet (template): templates/kev-to-risk-pack/IT_ACTION_SHEET.md
Patch SLA table (template): templates/kev-to-risk-pack/PATCH_SLA_TABLE.md
CISA KEV catalog: cisa.gov/known-exploited-vulnerabilities-catalog
BOD 22-01 overview: cisa.gov/binding-operational-directive-22-01

Hosted index: Public Sector Playbooks — Hosted Tools