WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA) today issued Binding Operational Directive 26-02, Mitigating Risk From End-of-Support Edge Devices. The directive requires Federal Civilian Executive Branch (FCEB) agencies to take specific actions to drive down technical debt and minimize the risk of compromise. Within a specified timeframe, FCEB agencies must strengthen asset lifecycle management for active edge devices and remove any hardware and software devices that is no longer supported by its original equipment manufacturer.
Persistent cyber threat actors are increasingly exploiting unsupported edge devices – hardware and software that no longer receive vendor updates to firmware or other security patches. Positioned at the network perimeter, these devices are especially vulnerable to persistent cyber threat actors exploiting a new or known vulnerability.
To mitigate this threat, CISA is requiring FCEB agencies to adhere to standard lifecycle management processes and mandatory actions within the required time limit in this directive. Required actions in this directive include:
- Update each vendor supported-edge device running end-of-support software to a vendor-supported software version.
- Inventory all devices to identify those that are end-of-support and report to CISA.
- Remove all edge devices that are end of support from agency networks and replace devices as needed with vendor-supported devices that can receive security updates.
- Establish a mature lifecycle management process for continuous discovery of all edge devices and maintain an inventory of those that are or will become end-of-support.
“Unsupported devices pose a serious risk to federal systems and should never remain on enterprise networks,” said CISA Acting Director Madhu Gottumukkala. “When the threat landscape demands decisive action, CISA will direct FCEB agencies to strengthen cyber resilience and build a stronger, safer digital infrastructure for America’s future. CISA strongly encourages non-federal organizations to adopt similar actions to strengthen the security of their edge devices.”
“Practicing good cyber hygiene starts with eliminating unsupported edge devices,” said CISA Executive Assistant Director for Cybersecurity Nick Andersen. “Driving timely risk reduction across the federal enterprise is critical, but true impact comes when all organizations commit to the same goal. By proactively managing asset lifecycles and removing end-of-support technology, we can collectively strengthen resilience and protect the global digital ecosystem.”
As federal civilian agencies implement this directive, CISA will monitor compliance, assess progress and provide support agency as required. CISA remains committed to using its cybersecurity authorities to enhance visibility and drive timely risk reduction across federal enterprise.
Edge devices include, but are not limited to, load balancers, firewalls, routers, switches, wireless access points, network security appliances, Internet of Things (IoT) edge devices, software defined networks and other physical or virtual networking components that route network traffic and hold privileged access.
For more information on CISA Directives, visit Cybersecurity Directives.
###
About CISA
As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.
Visit CISA.gov for more information and follow us on X, Facebook, LinkedIn, Instagram.