The Cybersecurity and Infrastructure Security Agency (CISA) has issued a new directive to federal agencies to take action against rising cyber security threats.
The Binding Operational Directive 26-02, Mitigating Risk from End-of-Support Edge Devices, requires Federal Civilian Executive Branch (FCEB) agencies to take action to drive down technical debt and to minimize the risk of compromise. The directive requires FCEB agencies to strengthen asset lifecycle management for active edge devices and remove any hardware and software devices that are no longer supported by the original equipment manufacturer.
“Unsupported devices pose a serious risk to federal systems and should never remain on enterprise networks,” CISA Acting Director Madhu Gottumukkala said. “When the threat landscape demands decisive action, CISA will direct FCEB agencies to strengthen cyber resilience and build a stronger, safer digital infrastructure for America’s future. CISA strongly encourages non-federal organizations to adopt similar actions to strengthen the security of their edge devices.”
CISA said cyber threat actors are increasingly exploiting unsupported edge devices -hardware and software that are no longer receiving vendor updates, that are especially vulnerable to persistent cyber threat actors exploiting new or known vulnerabilities. To mitigate the threat, CISA is requiring FCEB agencies to adhere to standard lifecycle management processes and mandatory actions within a required time limit.
The directive’s actions include updating vendor supported edge device running endo-of-support software; inventorying all devices to identify those that are end-of-support; removing all edge devices that are end of support from agency networks and replacing them; and establishing a mature lifecycle management process for continuous discovery of all edge devices.
“Practicing good cyber hygiene starts with eliminating unsupported edge devices,” CISA Executive Assistant Director for Cybersecurity Nick Andersen said. “Driving timely risk reduction across the federal enterprise is critical, but true impact comes when all organizations commit to the same goal. By proactively managing asset lifecycles and removing end-of-support technology, we can collectively strengthen resilience and protect the global digital ecosystem.”