The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has directed Federal Civilian Executive Branch (FCEB) agencies to tighten lifecycle management for edge network devices and remove any equipment that no longer receives security updates from original equipment manufacturers (OEMs). Agencies have been given a 12 to 18 month window to complete the removals.
CISA said the directive is intended to reduce technical debt and limit exposure to cyber intrusions, as state‑sponsored threat actors increasingly exploit these devices as an entry point into targeted networks.
The term edge devices broadly refers to technologies such as load balancers, firewalls, routers, switches, wireless access points, network security appliances, Internet of Things (IoT) edge systems, software defined networking components, and other physical or virtual infrastructure that routes network traffic and maintains privileged access. “Persistent cyber threat actors are increasingly targeting unsupported edge devices hardware and software that no longer receive firmware updates or security patches from vendors,” CISA said. “Because these systems sit at the network perimeter, they present an especially attractive target for attackers exploiting both known and newly discovered vulnerabilities.”
To support compliance, CISA has created an end‑of‑support edge device list that will serve as an initial reference catalog for agencies. The list will identify devices that have already reached end of support or are approaching it, and will include product names, version numbers, and documented end of support dates. Under the newly issued Binding Operational Directive (BOD) 26‑02, titled Mitigating Risk From End of Support Edge Devices, FCEB agencies are required to take the following actions:
- Immediately update any vendor‑supported edge devices that are running end‑of‑support software to a supported software version
- Within three months, inventory all edge devices, identify those that have reached end of support, and report findings to CISA
- Within 12 months, decommission all end‑of‑support edge devices listed in CISA’s repository and replace them with vendor‑supported alternatives capable of receiving security updates
- Within 18 months, remove all remaining identified end‑of‑support edge devices from agency networks and replace them with supported systems
- Within 24 months, establish a formal lifecycle management process that enables continuous discovery of edge devices and maintains an up‑to‑date inventory of systems that have reached—or will reach—end of support
“Unsupported devices present a significant risk to federal networks and should never remain connected to enterprise environments,” said CISA Acting Director Madhu Gottumukkala. “By proactively managing asset lifecycles and eliminating end‑of‑support technologies, we can collectively improve resilience and help safeguard the global digital ecosystem.”
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
