The Cybersecurity and Infrastructure Security Agency is giving federal agencies one year to stop using edge devices that no longer receive security updates from vendors.
The “imminent threat” to agencies posed by end-of-support (EOS) edge devices — including firewalls, routers, network security appliances and Internet of Things devices — “is substantial and constant,” CISA said in a binding operational directive that it issued on Thursday.
CISA said it was “aware of widespread exploitation campaigns by advanced threat actors targeting EOS edge devices,” which are attractive entry points for hackers “due to their extensive reach into an organization’s network and integrations with identity management systems.”
The new BOD requires agencies to immediately update any edge device running outdated software to a version that still receives vendor support, as long as doing so “does not adversely impact mission critical functionality.” Within three months, agencies must tell CISA which devices from the agency’s new EOS Edge Device List they are using on their networks.
Agencies will then have 12 months to decommission all listed devices with EOS dates on or before that deadline, reporting to CISA as they do so. The directive also gives agencies 12 months to inventory all edge devices — whether or not they appear on CISA’s list — that will lose support within the next year and provide that inventory to CISA.
Within 18 months, agencies must remove all remaining EOS devices, and within 24 months, agencies must develop processes for tracking devices that are, or will soon be, unsupported. They will be required to stop using those devices before their EOS date.
While the directive is binding only on federal agencies, CISA hopes local governments, businesses, and foreign allies will also heed its warning to disconnect unsupported network edge devices. The agency is publishing a fact sheet, developed in collaboration with the FBI and the U.K.’s National Cyber Security Centre, that offers advice for protecting edge devices.
The directive comes after years of nation-state cyberattacks that began with compromises of edge devices and blossomed into highly disruptive operations.
“Unsupported devices should never remain on enterprise networks,” Nick Andersen, CISA’s executive assistant director for cybersecurity, told reporters during a briefing on Thursday.
Compliance conundrum
Despite its authority to instruct agencies to complete certain cybersecurity tasks, CISA has limited ability to ensure agencies’ compliance with its directives. Andersen said CISA will work with the White House’s Office of Management and Budget to “monitor compliance, assess progress and provide support” to agencies as they implement the BOD. But he did not identify any mechanisms for forcing agencies to meet the deadlines.
“It’s not necessarily about, ‘can CISA go wave a big stick and force an agency to do something?’” Andersen said.
One of CISA’s jobs, he added, is to advise agencies on the trade-offs of continuing to use insecure technology for “delivering essential citizen services.”