The CISA Known Exploited Vulnerabilities catalog stitched to whatever IAVM, CTO, and CVE references survive in the public STIG and SCAP corpus. Pivot from a CVE to the 800-53 controls that govern its remediation, or from a STIG rule to the bulletin it cites.
The full KEV catalog as published by CISA. Each entry carries a CVE, vendor, product, BOD 22-01 due date, and a short narrative. Federal civilian agencies must remediate by the listed due date; everyone else uses it as a "patch this first" priority queue.
Specific bulletin IDs (IAVA-format YYYY-A-NNNN and Cyber Tasking Orders CTOnnnn) that DISA chose to embed in published STIG XML. The list is small — almost all DoD bulletin distribution happens behind CAC — but every reference here links back to the rule that cites it.
Vulnerability data is the trigger for the controls below. A KEV entry is what an assessor checks against RA-5 Vulnerability Monitoring and Scanning output and SI-2 Flaw Remediation patch evidence. Detail pages for each CVE, IAVM, and KEV entry deep-link straight into the 800-53 r5 catalog so you can read the control text without leaving the site.
STIG/SCAP scan last refreshed .
KEV catalog refreshed via app:kev:refresh; corpus scan via app:vulns:rebuild-toc.