CISA has ordered Federal Civilian Executive Branch agencies to strengthen asset lifecycle management for edge network devices and remove those that no longer receive security updates from OEMs within the next 12 to 18 months. The directive aims to drive down technical debt and minimise the risk of compromise as state-sponsored threat actors increasingly use edge devices as an access path into networks.
Edge devices is an umbrella term covering load balancers, firewalls, routers, switches, wireless access points, network security appliances, IoT edge devices, software-defined networks, and other components that route traffic and hold privileged access, and CISA has issued an end-of-support edge device list with product name, version number and end-of-support date.
The Binding Operational Directive 26-02, Mitigating Risk From End-of-Support Edge Devices, requires agencies to update end-of-support devices to vendor-supported software immediately, catalog all devices within three months, decommission those listed within 12 months and replace them with supported devices, and complete decommissioning of other identified devices within 18 months, plus establish a lifecycle management process within 24 months.
“Unsupported devices pose a serious risk to federal systems and should never remain on enterprise networks,” according to CISA Acting Director Madhu Gottumukkala.