The US Cybersecurity and Infrastructure Security Agency (CISA) issued a new binding operational directive aimed at reducing a long-standing cyber risk across federal networks: outdated “edge devices” that are not longer supported by vendors and aren’t receiving timely security updates.
By “edge devices”, CISA means load balancers, firewalls, routers, switches, wireless access points, network security appliances, IoT edge devices, software defined networks and other physical or virtual networking devices responsible for routing network traffic and providing privileged access.
Unsupported devices are a known target for attackers because they don’t get patches for new flaws, sit on the network boundary, are accessible from the public internet and can therefore give adversaries a beachhead into government systems.
Under the BOD 26-02 directive, US federal civilian agencies have firm work to do on a set timeline:
- Patch edge device that can be patched immediately (if doing so won’t break mission-critical functions).
- Within three months: Agencies must take stock of all edge devices on what CISA calls its “end-of-service” list.
- Within one year: Devices that already passed their end-of-support deadlines must be taken off networks and replaced with supported equipment.
- By 18 months: All identified end-of-support edge devices must be fully removed nationwide.
- By two years: Agencies must put in place a continuous discovery process so future edge devices approaching end-of-support are spotted and dealt with before they become a risk.
The agency plans to provide a list of edge devices that are already EOS or soon-to-be EOS, and other technical support as needed.
“CISA is aware of widespread exploitation campaigns by advanced threat actors targeting EOS edge devices,” the agency said. “Agencies that do not maintain appropriate lifecycle management processes for edge devices have a greater risk of compromise and an increased overall risk associated with EOS technology.”
The agency also pointed out that while this directive concerns edge devices, “EOS devices should not reside anywhere on federal networks.”
The directive applies only to US civilian federal agencies and carries legal weight under federal law, even though CISA doesn’t fine agencies for non-compliance. Instead, CISA and the Office of Management and Budget track whether the deadlines are met.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
