CISA Mandates Removal of Unsupported Edge Devices to Bolster Network Security
The Cybersecurity and Infrastructure Security Agency (CISA) has issued Binding Operational Directive (BOD) 26-02, compelling Federal Civilian Executive Branch (FCEB) agencies to eliminate end of support (EOS) edge devices from their networks. This directive, developed in collaboration with the Office of Management and Budget (OMB), addresses the significant security risks posed by unsupported hardware residing on network boundaries, such as firewalls, routers, and VPN gateways.
Understanding Edge Devices and Their Vulnerabilities
Edge devices are critical components located at the periphery of a network, serving as gateways between internal systems and external networks. These include firewalls, routers, load balancers, switches, and wireless access points. When these devices reach their end-of-support status, they no longer receive security updates from their original equipment manufacturers (OEMs), rendering them susceptible to exploitation. Unsupported devices present a substantial and constant threat, as advanced threat actors can exploit these vulnerabilities to gain unauthorized access to agency networks.
Directive Compliance Timeline
BOD 26-02 outlines a phased approach for agencies to identify and remove EOS edge devices:
– Immediate Action: Agencies must update any supported edge devices currently running EOS software to a supported version, provided it does not disrupt mission-critical functions.
– Within 3 Months: Agencies are required to inventory their edge devices against a CISA-provided list of known EOS hardware and report their findings.
– Within 12 Months: Agencies must decommission all devices identified on CISA’s initial EOS list and begin inventorying all other EOS devices in their environment.
– Within 18 Months: All remaining EOS edge devices must be removed from agency networks and replaced with supported alternatives.
– Within 24 Months: Agencies must establish a continuous lifecycle management process to identify and replace devices before they reach their end-of-support date.
The Significance of Edge Device Security
Edge devices are attractive targets for cybercriminals and state-sponsored actors due to their extensive reach into an organization’s network and integration with identity management systems. Unlike endpoints such as laptops and desktops, which often have robust security software, edge infrastructure frequently runs proprietary firmware that can be challenging to inspect or monitor. Recent campaigns have demonstrated attackers exploiting vulnerabilities in these devices to bypass perimeter defenses. Once compromised, an edge device can allow an attacker to intercept traffic, steal credentials, or launch further attacks against internal systems. CISA’s directive aims to close this gap by enforcing proven lifecycle management practices.
Broader Implications and Recommendations
While BOD 26-02 explicitly applies to federal civilian agencies, CISA intends for it to set a standard for other sectors. CISA officials have stated that unsupported devices should never remain on enterprise networks, urging local governments, critical infrastructure operators, and private businesses to adopt similar measures. This move aligns with the federal government’s broader Zero Trust architecture goals, as outlined in OMB Memorandum M-22-09. By removing vulnerable perimeter devices, agencies reduce their attack surface and force attackers to find harder paths into federal systems. The directive also reinforces OMB Circular A-130, which has long required agencies to phase out unsupported information systems. Agencies failing to comply with these requirements risk leaving federal networks exposed to known vulnerabilities for which no patches exist.
Support and Resources
To assist with the transition, CISA will provide technical guidance, reporting templates, and an evolving list of EOS devices. Agencies are encouraged to leverage these resources to ensure compliance with the directive and enhance their overall cybersecurity posture.
