CISA Mandates Federal Agencies Replace Outdated Edge Devices
▼ Summary
– CISA has issued a binding directive requiring federal agencies to identify and remove network edge devices that no longer receive security updates from manufacturers.
– The agency warns that these end-of-life devices, like routers and firewalls, leave systems highly vulnerable to exploitation by advanced threat actors.
– The directive mandates agencies to create an inventory of such devices within three months and decommission all identified ones within 18 months.
– Agencies must also establish continuous discovery processes within 24 months to maintain inventories of equipment nearing end-of-support.
– While the requirements are for federal agencies, CISA encourages all network defenders to follow this guidance to secure their systems.
A significant new mandate from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) compels federal agencies to systematically identify and replace outdated network hardware. The directive targets end-of-life edge devices like routers, firewalls, and switches that no longer receive manufacturer security updates, deeming them a critical vulnerability. CISA warns these unsupported devices present a constant and substantial threat, leaving federal systems exposed to sophisticated cyberattacks and newly discovered exploits that cannot be patched.
The agency highlighted that advanced threat actors are actively running widespread campaigns to target these vulnerable systems. Binding Operational Directive 26-02 (BOD 26-02) establishes a strict timeline for agencies to take action. First, they must immediately address any devices running outdated software where updates are available from the vendor. Within three months, a complete inventory of all equipment on CISA’s end-of-support list is required.
The directive outlines further deadlines for complete remediation. Federal agencies have one year to decommission any device that had already reached its end-of-support status before the directive was issued. A more comprehensive deadline is set for eighteen months, by which time all identified end-of-support edge devices must be fully replaced with modern, vendor-supported equipment that receives ongoing security patches.
Beyond immediate replacement, BOD 26-02 mandates that agencies build sustainable processes for the future. They are required to establish continuous discovery mechanisms within two years. This system will proactively identify all edge devices on their networks and maintain real-time inventories of hardware and software approaching their end-of-support dates, preventing future gaps in security coverage.
While this binding directive applies specifically to agencies within the Federal Civilian Executive Branch, CISA strongly advises all organizations to review and adopt the guidance. The agency emphasizes that the threat to network perimeter devices is not confined to government systems, and all network defenders should take steps to secure their operations against these ongoing attacks.
This latest order builds upon previous CISA initiatives to harden federal networks. In June 2023, the agency issued Binding Operational Directive 23-02, which focused on securing misconfigured or internet-exposed management interfaces on similar devices. Earlier that same year, CISA launched the Ransomware Vulnerability Warning Pilot program, through which it proactively alerts critical infrastructure operators about network devices vulnerable to ransomware exploitation.
(Source: Bleeping Computer)
