CISA Mandates Federal Agencies Replace Outdated Edge Devices
▼ Summary
– CISA has issued a binding directive requiring US federal civilian agencies to address the security risk of outdated, unsupported “edge devices” on their networks.
– These edge devices include routers, firewalls, and other networking hardware that are vulnerable because they no longer receive security patches from vendors.
– Agencies must inventory these devices within three months and completely remove all identified unsupported devices from networks within 18 months.
– The directive establishes a two-year timeline for agencies to implement a continuous process to discover and manage devices before they become unsupported.
– CISA warns that these devices are actively exploited by threat actors and pose a significant risk, though non-compliance is tracked by oversight bodies rather than fined.
A significant cybersecurity mandate from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) now requires federal civilian agencies to systematically identify and replace outdated networking equipment. This binding operational directive, BOD 26-02, targets a critical vulnerability: edge devices that have reached their end-of-service life and no longer receive security updates from vendors. These unsupported devices, which include firewalls, routers, and wireless access points, present a major risk as they are often directly accessible from the internet and provide attackers with a prime entry point into government networks.
The directive outlines a strict, multi-phase timeline for agencies to follow. The first step involves immediately patching any edge devices that can be updated without disrupting essential operations. Within three months, agencies must complete a comprehensive inventory of all edge devices that are on CISA’s end-of-service list. Following this assessment, the replacement process begins in earnest.
Agencies have one year to physically remove and replace any devices that have already passed their official end-of-support dates. The nationwide removal of all identified unsupported equipment must be finalized within eighteen months. Finally, within two years, each agency must establish a continuous discovery process to proactively identify and manage devices approaching their end-of-life before they become a security liability. CISA will support this effort by providing a list of affected devices and necessary technical guidance.
CISA emphasized the urgent need for this action, citing knowledge of active exploitation campaigns by sophisticated threat actors specifically targeting these obsolete edge devices. The agency warned that organizations failing to maintain proper lifecycle management for their networking hardware face a substantially higher risk of compromise. While the directive specifically addresses edge devices, CISA reinforced that end-of-service technology should not be present on any part of federal networks, underscoring a broader principle of modern IT hygiene.
Although this directive carries legal authority under federal law, enforcement relies on tracking and oversight rather than financial penalties. CISA, in coordination with the Office of Management and Budget, will monitor agency compliance with the established deadlines to ensure the mandate drives tangible improvements in the federal government’s cybersecurity posture.
(Source: HelpNet Security)
