CISA has ordered U.S. federal civilian agencies to tighten how they manage edge network devices and to replace those that no longer receive security updates within 12 to 18 months, in a move designed to reduce cyber risk and improve infrastructure security. According to Binding Operational Directive 26-02, agencies must identify and replace end-of-support devices across the edge, and strengthen asset lifecycle management for active devices that sit at the network perimeter.
The directive requires Federal Civilian Executive Branch agencies to inventory edge devices, report end-of-support equipment, and remove hardware that is no longer supported by the original equipment manufacturer. The agency warns that threat actors increasingly target unsupported edge devices, and explains that CISA will track compliance and provide support as agencies implement the changes.
“Unsupported devices pose a serious risk to federal systems and should never remain on enterprise networks,” according to CISA Acting Director Madhu Gottumukkala, who stresses decisive action to strengthen cyber resilience. “Practising good cyber hygiene starts with eliminating unsupported edge devices,” said Nick Andersen, CISA Executive Assistant Director for Cybersecurity, urging organisations beyond the federal sphere to adopt similar protections.