Governance, Risk and Compliance, Government security, Endpoint/Device Security, Network Security

CISA gives federal agencies one year to replace outdated edge devices

Washington D.C. skyline at night with major monuments in view - Washington D.C. United States of America

Looking to finally modernize and secure federal government networks, the Cybersecurity and Infrastructure Security Agency (CISA) on Feb. 5 gave civilian agencies one year to replace all end-of-support (EoS) edge devices.

Under its binding operational directive (BOD) 26-02, CISA said edge devices are attractive targets for hackers because of their extensive reach into agency networks and integrations with identity management systems.

CISA also pointed out that EoS devices — which are often decades old at federal agencies — no longer receive supported updates from the original equipment manufacturer, exposing federal systems to "disproportionate and unacceptable risks."

Agencies will have three months to conduct an inventory of their EoS devices and will decommission all identified appliances after a year. Within two years, agencies have to create a process for the continuous discovery of EoS devices.

According to CISA, EoS refers to all hardware devices, firmware, and software versions that no longer receive timely, supported updates from the original equipment manufacturer, including patches for CVEs, security updates, software fixes, and defects.


Related reading:


Edge devices are defined as appliances that reside on the boundary of an agency’s network and are accessible from the public internet. This includes load balancers, firewalls, routers, switches, wireless access points, network security appliances, IoT edge devices, software defined networks, and other physical or virtual network devices responsible for routing network traffic and offering privileged access.

Aggressive effort to address technical debt

Damon Small, board member at Xcape, Inc., said CISA’s new directive represents a very aggressive effort to address the "technical debt" that currently opens up our networks to nation-state hackers. By requiring the removal of routers, firewalls, and VPN gateways that no longer receive security patches, Small said CISA has effectively closed off the main "persistent access" pathways exploited by groups like Volt Typhoon and ArcaneDoor.

“This directive signals a shift in federal strategy from reactive patching to proactive structural hygiene, recognizing that an unpatchable device at the network edge is not an asset, but a perpetual liability,” Small said. “Agencies now have a strict 12-month deadline to decommission these legacy systems with an initial inventory due in just three months to uncover ‘shadow IT’ lurking within government subnets.”

David Sequino, founder and CEO of Integrity Security Services, added that CISA’s new push to handle EoS edge devices represents the kind of reality check agencies need. Sequino pointed out that this isn’t a one-time cleanup.

“It’s a lifecycle discipline,” said Sequino. “Organizations need continuous discovery, clear ownership, and a trust foundation, device identity plus verified firmware and updates, so security is built in and enforceable, not left to hope and perimeter controls."

Chris Rouland, founder and CEO of Phosphorus Cybersecurity, added that his team consistently finds that roughly 26% of an organization’s connected devices are EoS.

“That represents the single greatest edge risk most organizations face,” said Rouland. “Legacy devices that are no longer supported are nearly always running outdated, vulnerable firmware. When a zero-day emerges, there are no patches coming for your end-of-support devices. The operational takeaway is straightforward: Identify and assess every connected device on the network, and do not stop at discovery. Reduce risk by hardening and remediating edge devices through strong credential hygiene, current firmware, and secure configurations."

It's important to note that funding for BODs must get allocated by the specific agency and smaller agencies often have a hard time funding these directives.

An In-Depth Guide to Network Security

Get essential knowledge and practical strategies to fortify your network security.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds