CISA BOD 26-02 Signals a New Era of Edge Device Lifecycle Accountability
好的,我现在需要帮用户总结一篇文章的内容,控制在100个字以内,而且不需要特定的开头。首先,我得仔细阅读这篇文章,了解它的主要内容和重点。 文章主要讲的是美国网络安全和基础设施安全局(CISA)发布了一项指令(BOD 26-02),要求联邦机构处理边缘设备的生命周期管理问题。这些设备包括防火墙、VPN、路由器、IoT设备等,当它们达到支持结束(EOS)时,容易成为攻击目标。CISA要求机构在90天内清点并报告这些设备,并在规定时间内逐步淘汰和替换它们。 接下来,文章详细说明了BOD 26-02的具体要求,包括时间表和策略,比如分阶段升级、替换和重新设计设备。还提到了如何通过采购计划、零信任架构等方法来应对这些挑战。 现在我需要将这些信息浓缩到100字以内。首先确定关键点:CISA发布指令、处理边缘设备EOS问题、要求清点和替换设备、分阶段策略和零信任方法。 然后组织语言,确保流畅且信息完整。避免使用复杂的术语,保持简洁明了。 最后检查字数是否符合要求,并确保没有遗漏重要信息。 </think> 美国网络安全机构CISA发布指令BOD 26-02,要求联邦机构清点并替换边缘设备中的过时硬件,以应对网络威胁。指令强调持续发现和管理过时设备,并采用分阶段策略逐步淘汰旧设备,同时推动零信任架构的实施以提升安全性。 2026-2-24 19:13:23 Author: www.guidepointsecurity.com(查看原文) 阅读量:0 收藏

The U.S. is a favorite target for threat actors. Often, those threat actors  take advantage of unsupported devices residing on the edge of an organization’s network perimeter. Firewalls, VPNs, routers, IoT devices, and even personal devices like smart watches  and cameras are all potential entry points, especially when they’ve reached the end of support (EOS). To mitigate these issues, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a directive (CISA BOD 26-02) requires federal agencies to inventory all devices on the CISA EOS Edge Device List and report that inventory to CISA within 90 days of issuance, with longer-term requirements for decommissioning and lifecycle governance.

The Straight Talk on BOD 26-02

Binding Operational Directive 26-02 (BOD 26-02) is CISA drawing a hard line on EOS edge devices. Without regular patching or vendor support, existing vulnerabilities persist. Attackers know that those devices, when exposed externally, provide a perfect entry point and pivot point for lateral movement into federal networks.

BOD 26-02 sets deadlines for inventory, decommissioning, and ultimately, continuous discovery, so EOS devices don’t creep back in after the initial sweep is finished. 

An Edge Device Management Mindset Shift

BOD 26-02 intends to minimize organizational risk and to shift how federal agencies approach edge device management. The shift?

Stop treating refresh like a “big bang”

Most agencies fail at edge device lifecycle management because the refresh gets delayed until the process becomes untenable and overwhelming. Those delays can stem from limited staffing, low tolerances for outages, or simply not maintaining the asset inventory. Regardless, budget is always a factor. By the time approved devices make it through procurement and into production, they’re already closer to end-of-life than anyone expected.

The Winning Strategy for BOD 25-02 Alignment: Incremental Modernization

They always say the best way to eat an elephant is one bite at a time. Modernizing an IT environment is similar. 

Few organizations can afford to do a wholesale replacement at once. The best strategy is to break the whole into manageable projects.  By working incrementally, you can decrease risk, minimize outages, and enable more predictable funding.

It also helps the process if your organization can standardize edge stacks. Fewer design types and versions lead to less chaotic environments and easier update paths.

Finally, design your IT architecture for replacement. Again, less is more. Focus on modular architectures and clean change windows that enable repeatable cutovers.

Practical Ways to Beat EOS Without Blowing up Budgets

BOD 26-02 is lighting a fire under federal agencies. As of its issuance in February 2026, it requires agencies to immediately update any devices that do not pose an impact on mission critical functionality. Within 3 months – May 2026 – agencies must inventory and report all edge devices listed on the CISA’s EOS list using the CISA-provided template.

Here are a few practical steps that you can take to manage edge devices across federal networks and build a lifecycle modernization strategy. 

1. Build an “EOS runway”

BOD 26-02 ultimately requires continuous discovery + inventory of EOS/soon-to-be-EOS edge devices. If you treat modernization like an operational discipline, not a compliance drill, you’ll have the tools to continuously track every edge device with:

  • Model/version
  • EOS date
  • Management plane exposure
  • Internet exposure
  • Mission criticality
2. Use a 3-lane approach

It’s not always practical to update everything all at once. Instead, use a staggered approach. 

  • Lane A – Upgrade now: Apply vendor-supported updates to edge devices, provided such an update won’t harm mission critical functionality. 
  • Lane B – Replace next: Focus on devices that have already hit EOS or will be hitting their EOS date within the next 12 months. 
  • Lane C – Redesign over time: Focus on devices where the architecture is brittle: load balancer pairs, VPN, legacy DMZ patterns. This focus will enable you to build the right strategy to minimize risk and downtime.
3. Make procurement match the clock

    The timeline for BOD 26-02 calls for significant progress at both 12 months and 18 months. At those milestones, agencies must decommission and report, first for listed devices, then for all EOS edge devices. Specifically:

    • Within 12 months (February 2027) 
      • Decommission devices that have reached EOS.
      • Report decommissions to CISA using the CISA-provided template
      • Inventory all edge devices within their environments that are EOS or will become EOS within 12 months that are within the scope of this directive. 
    • Within 18 months (August 2027)
      • Decommission and replace remaining EOS edge devices with vendor-supported equipment that can receive current security updates.
      • Report decommissions to CISA using the CISA-provided template
    • Within 24 months (February 2028):
      • Define a process for continuous discovery of all edge devices and maintain an inventory of those that are or will become EOS within their environments.
      • Having decommissioned devices on or before EOS dates, report decommissions to CISA using the CISA-provided template. 

    That means acquisition plans should lock early with:

    • Approved vendor configurations
    • Standard baselines
    •  “No-EOS” contract language for managed services
    4. Turn edge refresh into a zero trust enabler

      Every device needs a verified identity. With your new, comprehensive inventory, now is the time to revisit zero trust concepts like multi-factor authentication (MFA), asset identity, workload isolation, and encryption in transit. 

      In fact, refreshing edge devices is your chance to modernize:

      • Identity-backed admin access
      • Segmented management networks
      • Stronger access policy,
      • Encrypted control planes
      • Better telemetry

      The Bottom Line on BOD 26-02

      With BOD 26-02, CISA is telling agencies: unsupported edge devices are an unacceptable risk, and this one is easily remedied with disciplined lifecycle management and steady refresh. The fastest way to win is to stop waiting for a massive tech refresh. Instead make refresh a repeatable, budgetable, annual operating rhythm.

      Are you ready to get started with incremental modernization of your edge devices? GuidePoint Security can help. We work with government agencies of all sizes and at all levels of federal, state, and local government, providing tailored solutions and services so you can complete your mission with better cybersecurity decisions that minimize risk.

      Learn more >


      Timothy Amerson

      Federal Chief Information Security Officer (CISO),
      GuidePoint Security

      Timothy Amerson is currently the Federal Chief Information Security Officer (CISO) at GuidePoint Security. While also serving as the the President of the Board of Directors for The KEY (Keep Elevating Yourself) Community Non-Profit. He brings more than 30+ years of distinguished service in federal cybersecurity leadership. Most recently, he served as the CISO and Associate Commissioner at the Social Security Administration (SSA), where he was recognized as a 2023, 2024 and 2025 Top 100 Information Security Professional; 2024 FedScoop Top 50 Federal Leader Nominee; 2025 CyberScoop Government Leaders, FedScoop Top 50 Federal Leader Nominee, and Finalist US Forces in Business Lifetime Achievement Award.

      At SSA, Mr. Amerson was responsible for enterprise-wide cybersecurity operations including Cybersecurity Risk Management (CSRM), Zero Trust Architecture (ZTA), FISMA compliance metrics, 24x7 Security Operations Center (SOC), Continuous Diagnostics and Mitigation (CDM), Red and Blue Team operations, Vulnerability Management, Insider Threat programs, Cyber Supply Chain Risk Management (C-SCRM), and secure software practices. Under his leadership, SSA’s FISMA scores increased from 70% to 98%, elevating the agency to one of the top performers across all Federal Civilian agencies.

      Prior to SSA, Mr. Amerson held multiple senior leadership roles at the Department of Veterans Affairs (VA), including Director of Infrastructure Cybersecurity Management, Cybersecurity Product Line Manager, and (Detailed) Director of the National Data Center Operations and Logistics program. He was named a 2021 FedScoop “Best Bosses in Federal IT” finalist for his transformational leadership. He began his Federal Civilian IT career on the help desk at the Texas National Guard Joint Force Headquarters and rose through the ranks to become Chief Technology Officer.

      Mr. Amerson is a decorated Army veteran with 32 years of service, including combat and state-side deployments, and has served as Platoon Leader, Commander, and Operations Officer. Also served as Deputy of the Computer Emergency Response Team, Deputy of the Defense Cyberspace Operations Element, and established the first multi-state Cyber Protection Team (CPT). He participated in and led Red and Blue Team activities during major national cyber exercises, including Cyber Storm (DHS), Cyber Shield (USCYBERCOM), and Cyber Guard (NGB), in partnership with the NSA, FBI, FEMA, and ODNI. He has received numerous commendations, including the Legion of Merit, Bronze Star Medal, four Meritorious Service Medals, and recognition from several professional associations, including the Silver Order of Thor (Cyber), the Silver Order of Mercury (Signal), and the Bronze Order of Saint George (Cavalry).

      He holds a Master of Science in Computer Science a Specialization in Cybersecurity (Summa Cum Laude) and a Bachelor of Science in Computer Information Systems, is a graduate of the Army Cyber Center of Excellence and the Command & General Staff College, and maintains over 30 certifications, including Certified Information System Security Professional (CISSP), Project Management Professional (PMP), Certified Ethical Hacker (CEH and Hall of Fame), Certified Chief Information Security Officer (aC|CISO), Certified Competency in Zero Trust (CCZT), International Society of Automation (ISA)/International Electrotechnical Commission (IEC) 62443 Cybersecurity Expert, and Microsoft Certified Educator (MCE).

      In his personal time, Mr. Amerson is passionate about cybersecurity, education, and outreach. He served as a conference coordinator for the Texas Cyber Summit and DEF CON, and mentored students on cybersecurity teams at both the high school and collegiate levels, resulting in numerous national awards, grants, and scholarships.


      文章来源: https://www.guidepointsecurity.com/blog/cisa-bod-2020-02-a-new-era-of-edge-device-lifecycle-accountability/
      如有侵权请联系:admin#unsafe.sh