The KEV catalog was launched in November 2021 with roughly 300 entries. There are now more than 730 entries and the database continues to grow as CISA becomes aware of other new or old vulnerabilities that have been exploited in the wild.
The catalog is accompanied by Binding Operational Directive 22-01, which instructs federal agencies to patch the vulnerabilities before a specified deadline. Other types of government organizations, as well as private companies, are advised to leverage the catalog to prioritize vulnerability patching and strengthen their security. This is why the catalog is referred to by many as CISA’s “Must Patch” list.