CISA pushes Federal agencies to retire end-of-support edge devices

CISA ordered U.S. federal agencies to improve management of edge network devices and replace unsupported ones within 12–18 months.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) instructed U.S. federal civilian agencies to strengthen how they manage edge network devices throughout their lifecycle. According to Binding Operational Directive 26-02, Mitigating Risk From End-of-Support Edge Devices, agencies must identify and replace devices that no longer receive security updates from manufacturers within the next 12 to 18 months to reduce cyber risks and improve infrastructure security.

The directive requires Federal Civilian Executive Branch (FCEB) agencies to take specific actions to drive down technical debt and minimize the risk of compromise.” reads the advisory published by the U.S. Cybersecurity and Infrastructure Security Agency. “Within a specified timeframe, FCEB agencies must strengthen asset lifecycle management for active edge devices and remove any hardware and software devices that is no longer supported by its original equipment manufacturer. ”

The agency warns that threat actors increasingly target unsupported edge devices that sit at the network perimeter and no longer receive security updates. To reduce this risk, CISA requires federal agencies to inventory all edge devices, report those that are end-of-support, update or replace them with supported versions, remove unsupported hardware from networks, and adopt strong lifecycle management to continuously track device status.

“Unsupported devices pose a serious risk to federal systems and should never remain on enterprise networks,” said CISA Acting Director Madhu Gottumukkala. “When the threat landscape demands decisive action, CISA will direct FCEB agencies to strengthen cyber resilience and build a stronger, safer digital infrastructure for America’s future. CISA strongly encourages non-federal organizations to adopt similar actions to strengthen the security of their edge devices.”

CISA says strong cyber hygiene starts by removing unsupported edge devices. Managing asset lifecycles and retiring end-of-support technology reduces risk and improves resilience across government and beyond. As agencies carry out the directive, CISA will track compliance, review progress, and provide support as needed. The agency also clarified that edge devices include firewalls, routers, switches, load balancers, wireless access points, IoT edge devices, SDN components, and other network systems that route traffic and hold privileged access.

“Practicing good cyber hygiene starts with eliminating unsupported edge devices,” said CISA Executive Assistant Director for Cybersecurity Nick Andersen. “Driving timely risk reduction across the federal enterprise is critical, but true impact comes when all organizations commit to the same goal. By proactively managing asset lifecycles and removing end-of-support technology, we can collectively strengthen resilience and protect the global digital ecosystem.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, edge network devices)