**
CISA Urges Federal Agencies to Retire End-of-Support Edge Devices
**The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding operational directive requiring federal agencies to improve the management of their edge network devices, including the retirement of unsupported ones within 12-18 months.
According to Binding Operational Directive 26-02: Mitigating Risk from End-of-Support Edge Devices, federal civilian agencies must take immediate action to strengthen the management of their edge network devices throughout their entire lifecycle. This includes identifying and replacing devices that no longer receive security updates from manufacturers, in order to reduce cyber risks and improve infrastructure security.
The directive emphasizes that unsupported edge devices pose a significant risk to federal systems and should never remain on enterprise networks. Threat actors increasingly target these devices, which sit at the network perimeter and are no longer receiving security updates, making them an attractive target for exploitation.
To mitigate this risk, CISA requires agencies to take specific actions:
- Inventory all edge devices
- Report those that are end-of-support
- Update or replace them with supported versions
- Remove unsupported hardware from networks
- Aadopt strong lifecycle management to continuously track device status
"Unsupported devices pose a serious risk to federal systems and should never remain on enterprise networks," said CISA Acting Director Madhu Gottumukkala. "When the threat landscape demands decisive action, CISA will direct FCEB agencies to strengthen cyber resilience and build a stronger, safer digital infrastructure for America's future."
CISA also encourages non-federal organizations to adopt similar actions to strengthen the security of their edge devices.
"Strong cyber hygiene starts by removing unsupported edge devices," said CISA Executive Assistant Director for Cybersecurity Nick Andersen. "Driving timely risk reduction across the federal enterprise is critical, but true impact comes when all organizations commit to the same goal. By proactively managing asset lifecycles and removing end-of-support technology, we can collectively strengthen resilience and protect the global digital ecosystem."
As agencies carry out the directive, CISA will track compliance, review progress, and provide support as needed.
**
What are Edge Devices?
**CISA clarifies that edge devices include:
- Firewalls
- Routers
- Switches
- Load balancers
- Wireless access points
- IoT edge devices
- SDN components
- Other network systems that route traffic and hold privileged access
The directive emphasizes the importance of proactive management of asset lifecycles and removal of end-of-support technology to reduce risk and improve resilience across government and beyond.
**
Follow Security Affairs on Social Media
**Stay up-to-date with the latest cybersecurity news and insights by following us on: