What happened
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive 26‑02 requiring Federal Civilian Executive Branch (FCEB) agencies to identify, update, or remove “end‑of‑support” edge network devices, including firewalls, routers, switches, wireless access points, IoT edge devices and similar hardware, that no longer receive security updates from original equipment manufacturers. Agencies have strict timelines: inventory within three months, decommission devices past end‑of‑support within 12-18 months, and implement continuous lifecycle management within 24 months.
Who is affected
The directive is mandatory for U.S. civilian federal agencies and targets active network edge devices that have reached or will soon reach end‑of‑support. While the requirement applies federally, CISA has encouraged state, local, and private sector organizations to consider similar measures.
Why CISOs should care
Unsupported edge devices are attractive targets for advanced threat actors, including nation‑state groups, because they no longer receive vendor updates or security patches. Positioned at the network perimeter, these devices can provide an initial access vector, enabling lateral movement, disruption, or data exfiltration. The federal directive signals a broader trend toward proactive asset lifecycle governance that private sector CISOs should anticipate and adopt to reduce risk and technical debt.
3 practical actions
- Perform comprehensive inventory and classification of all edge network devices across your enterprise to identify devices that are at or near end‑of‑support.
- Develop and enforce a lifecycle management policy that includes timelines for patching, upgrade, replacement, and decommissioning of outdated network hardware and software.
- Prioritize segmentation and compensating controls for any remaining legacy devices while planning their phase‑out to reduce the risk of compromise during transition.