CISA has issued Binding Operational Directive (BOD) 26-02, ordering Federal Civilian Executive Branch (FCEB) agencies to eliminate “end of support” (EOS) edge devices from their networks.
This directive, developed in coordination with the Office of Management and Budget (OMB), addresses the significant security risks posed by unsupported hardware that resides on network boundaries, such as firewalls, routers, and VPN gateways.
BOD 26-02 mandates a phased removal of edge devices that no longer receive security updates from their original equipment manufacturers (OEMs).
CISA defines “edge devices” as technology located on a network’s boundary that is accessible from the public internet, including load balancers, switches, and wireless access points.
Unsupported devices are considered a “substantial and constant” threat because they are vulnerable to exploitation by advanced threat actors who use them as pivot points into deeper agency networks.
The directive outlines a strict timeline for compliance:
- Immediate Action: Agencies must update any supported edge devices currently running EOS software to a supported version, provided it does not disrupt mission-critical functions.
- Within 3 Months: Agencies are required to inventory their edge devices against a CISA-provided list of known EOS hardware and report their findings.
- Within 12 Months: Agencies must decommission all devices identified on CISA’s initial EOS list and begin inventorying all other EOS devices in their environment.
- Within 18 Months: All remaining EOS edge devices must be removed from agency networks and replaced with supported alternatives.
- Within 24 Months: Agencies must establish a continuous lifecycle management process to identify and replace devices before they reach their end-of-support date.
Edge devices are attractive targets for cybercriminals and state-sponsored actors because they often have extensive reach into an organization’s network and integrate with identity management systems.
Unlike endpoints (laptops, desktops), which have robust security software, edge infrastructure often runs proprietary firmware that can be difficult to inspect or monitor.
Recent campaigns have shown attackers exploiting vulnerabilities in these devices to bypass perimeter defenses.
Once compromised, an edge device can allow an attacker to intercept traffic, steal credentials, or launch further attacks against internal systems. CISA’s directive aims to close this gap by enforcing “proven lifecycle management practices”.
While BOD 26-02 explicitly applies to federal civilian agencies, CISA intends for it to set a standard for other sectors. CISA officials have stated that “unsupported devices should never remain on enterprise networks,” urging local governments, critical infrastructure operators, and private businesses to adopt similar measures.
This move aligns with the federal government’s broader Zero Trust architecture goals, as outlined in OMB Memorandum M-22-09. By removing vulnerable perimeter devices, agencies reduce their attack surface and force attackers to find harder paths into federal systems.
The directive also reinforces OMB Circular A-130, which has long required agencies to phase out unsupported information systems.
Agencies failing to comply with these requirements risk leaving federal networks exposed to known vulnerabilities for which no patches exist.
To assist with the transition, CISA will provide technical guidance, reporting templates, and an evolving list of EOS devices.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
