The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a directive requiring Federal Civilian Executive Branch (FCEB) agencies to enhance their asset lifecycle management for edge network devices. This initiative aims to remove devices that no longer receive security updates from original equipment manufacturers (OEMs) within the next 12 to 18 months.
CISA’s decision is driven by the need to reduce technical debt and minimize the risk of compromise, particularly as state-sponsored threat actors increasingly exploit unsupported devices as entry points into target networks. Edge devices include a variety of components such as load balancers, firewalls, routers, switches, wireless access points, network security appliances, Internet of Things (IoT) devices, and other networking elements that manage traffic and hold privileged access.
Identifying Vulnerabilities in Edge Devices
CISA has noted that persistent cyber threat actors are taking advantage of unsupported edge devices—those that no longer receive firmware or security updates. These devices, often positioned at the network perimeter, are particularly susceptible to exploitation of both new and known vulnerabilities. CISA stated, “Persistent cyber threat actors are increasingly exploiting unsupported edge devices.”
New Directive for Federal Agencies
To assist FCEB agencies, CISA has created an end-of-support edge device list, which serves as a preliminary repository detailing devices that have reached or are expected to reach end-of-support status. This list will include the product name, version number, and end-of-support date.
The newly issued Binding Operational Directive 26-02, titled Mitigating Risk From End-of-Support Edge Devices, outlines several required actions for FCEB agencies:
- Update each vendor-supported edge device running end-of-support software to a vendor-supported software version (effective immediately).
- Catalog all devices to identify those that are end-of-support and report to CISA (within three months).
- Decommission all edge devices that are end-of-support and listed in the edge device list from agency networks and replace them with vendor-supported devices that can receive security updates (within 12 months).
- Decommission all other identified edge devices from agency networks and replace them with vendor-supported devices that can receive security updates (within 18 months).
- Establish a lifecycle management process to enable continuous discovery of all edge devices and maintain an inventory of those that are or will reach end-of-support (within 24 months).
Importance of Proactive Management
CISA Acting Director Madhu Gottumukkala emphasized the risks posed by unsupported devices, stating, “Unsupported devices pose a serious risk to federal systems and should never remain on enterprise networks.” By proactively managing asset lifecycles and removing outdated technology, CISA aims to enhance resilience and protect the broader digital ecosystem.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
