The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a new binding operational directive requiring federal agencies to identify and remove network edge devices that no longer receive security updates from manufacturers.
It also warned that end-of-life edge devices (including routers, firewalls, and network switches) leave federal systems vulnerable to newly discovered exploits and expose them to “disproportionate and unacceptable risks.”
“The imminent threat of exploitation to agency information systems running EOS edge devices is substantial and constant, resulting in a significant threat to federal property. CISA is aware of widespread exploitation campaigns by advanced threat actors targeting EOS edge devices,” the cybersecurity agency said on Thursday.
“These devices are especially vulnerable to cyber exploits targeting newly discovered, unpatched vulnerabilities. Additionally, they no longer receive supported updates from the original equipment manufacturer, exposing federal systems to disproportionate and unacceptable risks.”
Binding Operational Directive 26-02 (BOD 26-02) mandates U.S. government agencies to decommission end-of-support (EOS) hardware and software on federal networks to prevent exploitation by advanced threat actors.
The directive requires immediate action on vendor-supported devices running end-of-support software for which updates are available, and an inventory of all devices on CISA’s end-of-support list within three months.
Federal agencies also have 12 months to decommission devices that reached end-of-support before the directive’s issuance date. Within 18 months, all identified end-of-support edge devices must be replaced with vendor-supported equipment receiving current security updates.
BOD 26-02 also requires them to establish continuous discovery processes within 24 months to identify edge devices and maintain inventories of equipment and software approaching end-of-support status.
While these requirements apply only to U.S. Federal Civilian Executive Branch (FCEB) agencies, CISA encourages all network defenders to follow the guidance in this fact sheet to secure systems, data, and operations against threat groups targeting network edge devices in ongoing attacks.
Three years ago, in June 2023, CISA also issued Binding Operational Directive 23-02, which requires federal civilian agencies to secure misconfigured or Internet-exposed management interfaces (e.g., routers, firewalls, proxies, and load balancers).
Months earlier, it announced that it would warn critical infrastructure organizations if they have network devices vulnerable to ransomware attacks as part of a new Ransomware Vulnerability Warning Pilot (RVWP) program.
Modern IT infrastructure moves faster than manual workflows can handle.
In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.