US Agencies Ordered to Replace Outdated Edge Devices
▼ Summary
– CISA has issued a binding directive requiring all US federal agencies to decommission end-of-support (EOS) public-facing edge devices within 12 months.
– The directive is a response to substantial and constant threats, as these outdated devices are prime targets for nation-state actors seeking network entry.
– Agencies must first use a CISA-provided list to identify all such devices and remediate vulnerabilities within three months of the directive.
– They must then remove all identified EOS edge devices from their networks within 18 months, replacing them with supported hardware.
– Finally, agencies have two years to establish a continuous process for discovering and inventorying edge devices approaching their end-of-support date.
In a decisive move to bolster national cybersecurity, US federal agencies have been mandated to remove all outdated public-facing network hardware within a year. The Cybersecurity and Infrastructure Security Agency (CISA) issued this urgent directive in response to active exploitation campaigns targeting devices that have reached their end-of-support (EOS) lifecycle. These vulnerable components, often positioned at the network perimeter, present a constant and substantial threat to federal information systems.
The formal order, known as Binding Operational Directive 26-02, applies to all civilian executive branch departments and agencies. CISA emphasized that while many cyber threats are complex, this particular risk can be directly addressed through disciplined lifecycle management. The directive specifically targets EOS devices deployed on the network “edge”, those public-facing areas exposed to external environments like the internet. The agency further clarified that such obsolete hardware should not remain operational anywhere on federal networks.
Nation-state threat actors find end-of-life devices especially attractive, routinely exploiting outdated or unsupported hardware as a reliable entry point into secured systems. To combat this, the directive establishes a clear and enforceable timeline for agencies to follow.
CISA has developed an EOS Edge Device List to help organizations begin the identification process. Using this resource, agencies must locate and address vulnerabilities on all relevant devices within the first three months after the directive’s issuance. Any device with an end-of-support date falling on or before the twelve-month mark from the directive must be fully decommissioned, with agencies reporting their compliance to CISA.
Furthermore, all edge devices scheduled to reach EOS within the subsequent twelve-month period must be cataloged in an inventory. A critical deadline arrives at the eighteen-month mark, by which time all identified EOS edge devices must be removed from agency networks. These components should be replaced with vendor-supported alternatives capable of receiving current security updates.
Finally, within two years, each agency is required to implement a sustainable process for the continuous discovery of all edge devices in their environment. This system must maintain an up-to-date inventory of devices that are currently EOS or will become EOS within the next twelve months, ensuring proactive management and preventing future accumulation of vulnerable hardware.
(Source: InfoSecurity Magazine)
