CISA Orders Removal of Unsupported Edge Devices to Reduce Federal Network Risk

Federal Mandate on Edge Device Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding operational directive requiring Federal Civilian Executive Branch (FCEB) agencies to strengthen asset lifecycle management for edge network devices. The order mandates removal of devices that no longer receive security updates from original equipment manufacturers (OEMs) within 12 to 18 months.

Why Edge Devices Matter

Edge devices—including load balancers, firewalls, routers, switches, wireless access points, and IoT components—are critical network infrastructure. Positioned at the network perimeter, they route traffic and hold privileged access, making them prime targets for persistent cyber threat actors.

CISA emphasized that unsupported hardware and software—devices no longer receiving vendor updates—pose serious risks to federal systems. State-sponsored threat actors increasingly exploit these devices as preferred access pathways.

Binding Operational Directive 26-02 Requirements

The new directive establishes specific timelines and milestones for agencies:

- Immediate: Update vendor-supported edge devices running end-of-support software to current vendor-supported versions
- Within 3 months: Catalog all devices and identify end-of-support equipment; report findings to CISA
- Within 12 months: Decommission all edge devices on the end-of-support list and replace with vendor-supported alternatives
- Within 18 months: Decommission all other identified end-of-support devices and replace with supported equipment
- Within 24 months: Establish lifecycle management processes for continuous device discovery and inventory maintenance

End-of-Support Device List

To assist agencies in compliance, CISA developed an end-of-support edge device list containing product names, version numbers, and support termination dates. This serves as a preliminary repository for devices already reaching or expected to lose support status.

Broader Security Impact

CISA Acting Director Madhu Gottumukkala stated: "Unsupported devices pose a serious risk to federal systems and should never remain on enterprise networks. By proactively managing asset lifecycles and removing end-of-support technology, we can collectively strengthen resilience and protect the global digital ecosystem."

This directive reflects growing concerns about persistent cyber threat actors exploiting technical debt in federal infrastructure for network intrusion and espionage campaigns.

Source: The Hacker News