The Cybersecurity and Infrastructure Security Agency (CISA) has issued a new directive, Binding Operational Directive (BOD) 26-02, requiring the Federal Civilian Executive Branch (FCEB) agencies to remove outdated edge devices from their networks. This directive aims to mitigate security risks associated with end-of-support (EOS) hardware, including firewalls, routers, and VPN gateways, that form the boundary of network infrastructures.
Significance of Removing Unsupported Devices
Developed in collaboration with the Office of Management and Budget (OMB), this directive targets the vulnerabilities posed by unsupported devices. These devices, located at network boundaries and accessible from the internet, include load balancers, switches, and wireless access points. Their lack of ongoing security updates makes them prime targets for cybercriminals and state-sponsored actors seeking entry into deeper network layers.
CISA highlights that these outdated edge devices can be exploited by advanced threat actors, posing a “substantial and constant” threat. Once compromised, these devices can be used to intercept traffic, steal credentials, and facilitate further attacks on internal systems. Recent incidents have demonstrated how attackers exploit these vulnerabilities to bypass perimeter defenses effectively.
Detailed Timeline for Compliance
The directive outlines a structured timeline for the phased removal of unsupported hardware. Agencies must immediately update any edge devices running EOS software to supported versions, ensuring no disruption to mission-critical functions. Within three months, agencies are required to inventory their edge devices against a CISA-provided list of known EOS hardware and report their findings.
Within 12 months, all devices identified on CISA’s initial EOS list must be decommissioned, with a follow-up inventory of all other EOS devices in their environment. By 18 months, any remaining EOS devices must be replaced with supported alternatives. Finally, within 24 months, agencies need to establish a continuous lifecycle management process to proactively replace devices nearing their end-of-support date.
Broader Implications and Support
While BOD 26-02 specifically targets federal civilian agencies, CISA aims for this directive to serve as a benchmark for other sectors. Local governments, critical infrastructure operators, and private businesses are encouraged to adopt similar practices. This initiative aligns with the federal government’s Zero Trust architecture goals, as outlined in OMB Memorandum M-22-09, to reduce the attack surface by eliminating vulnerable perimeter devices.
Moreover, CISA will provide technical guidance, reporting templates, and an evolving list of EOS devices to assist agencies with this transition. The directive also reinforces OMB Circular A-130, which mandates the phasing out of unsupported information systems, ensuring federal networks are not left exposed to unpatched vulnerabilities.
For further updates on cybersecurity developments, follow CISA on Google News, LinkedIn, and X. Agencies and organizations are urged to comply with these practices to safeguard their networks against evolving threats.
