CISA Tells Agencies to Remove These Vulnerable Edge Devices

Cyber threats targeting government systems often exploit weaknesses in unsupported and outdated edge devices. To combat these threats, the Cybersecurity and Infrastructure Security Agency (CISA) has told federal civilian agencies to remove these edge devices from their networks.

The agency’s February directive, Binding Operational Directive 26-02 (BOD 26-02), mandates that agencies phase out end-of-support (EOS) hardware and software that no longer receive vendor security updates.

The directive establishes deadlines over the next 24 months for agencies to inventory, report and decommission vulnerable devices connected to federal networks. CISA developed a preliminary inventory of devices that are already or soon-to-be EOS to help agencies identify vulnerabilities. The list is not publicly available.

Under the directive, agencies must:

• Immediately update edge devices running EOS software to vendor-supported versions.
• By May 5, 2026, inventory and report all EOS devices to CISA using the agency’s template.
• Within one year, remove all EOS edge devices and replace them with vendor-supported technology that receives security updates.
• Within two years, establish a lifecycle management process to continuously monitor and maintain edge device inventories.

Hackers commonly target these devices because they lack updated security patches and present open doors to gain entry into systems. In a high-profile 2015 breach, hackers accessed Office of Personnel Management systems and remained undetected for months. More than 21.5 million federal employees were compromised.

Former CISA CIO Bob Costello told GovCIO Media & Research unsupported edge devices represent a growing vulnerability across federal networks because they no longer receive vendor patches or security support.

“We’re trying to modernize in a way that reduces the attack surface or moves where the adversary can’t attack us,” Costello said.

Costello, who recently departed the agency, said the directive aligns with broader federal cybersecurity priorities, including zero trust requirements outlined in guidance from the Office of Management and Budget. He added that modernizing network architecture and removing unsupported infrastructure will help agencies adopt secure access service edge and other zero trust capabilities.

Centers for Medicare and Medicaid Services CISO Keith Busby said the federal attack surface continues to expand as agencies modernize systems and rely more heavily on third-party services such as application programming interfaces. Busby said strengthening identity protections and zero trust architecture will be critical as agencies manage increasingly complex machine-to-machine interactions across modern networks.