The US cybersecurity agency has issued a binding directive mandating federal agencies to identify, phase out and replace unsupported network edge devices, warning that outdated routers, firewalls and switches pose serious and ongoing risks from advanced cyber threats.
The US Cybersecurity and Infrastructure Security Agency (CISA) has directed federal civilian agencies to urgently identify and remove network edge devices that no longer receive security updates from manufacturers, citing escalating risks from active cyber exploitation.
In a newly issued Binding Operational Directive, CISA warned that end-of-support devices—such as routers, firewalls and network switches—are increasingly targeted by advanced threat actors because they lack patches for newly discovered vulnerabilities. According to the agency, continued use of such equipment exposes federal systems to “unacceptable and disproportionate” security risks.
CISA said it is aware of widespread exploitation campaigns aimed at outdated edge devices across government networks. These devices often sit at the perimeter of enterprise environments, making them attractive entry points for attackers seeking to compromise sensitive systems and data.
Timelines for removal and replacement
The directive, identified as Binding Operational Directive 26-02, requires agencies within the Federal Civilian Executive Branch to take a structured, time-bound approach to mitigating the risk. Agencies must immediately address any supported hardware running software that has reached end-of-support, where vendor updates are still available.
Within three months, agencies are required to complete an inventory of all edge devices listed as end-of-support by CISA. Devices that had already reached end-of-support before the directive was issued must be fully decommissioned within 12 months. CISA has set an 18-month deadline for replacing all identified unsupported edge devices with vendor-supported equipment that receives regular security updates.
The directive also calls for long-term changes in how agencies manage network assets. Within 24 months, agencies must establish continuous discovery and inventory processes to track edge devices and identify systems approaching end-of-support before they become security liabilities.
Broader cybersecurity push
While the directive applies specifically to federal civilian agencies, CISA urged all organisations—particularly critical infrastructure operators and large enterprises—to follow the same practices. The agency said the guidance is intended to strengthen overall cyber resilience as threat groups increasingly focus on exploiting network infrastructure.
The latest move builds on earlier CISA initiatives to secure federal networks. In 2023, the agency mandated the protection of internet-exposed management interfaces under a separate binding directive. It has also launched programmes to alert organisations about ransomware risks linked to vulnerable network devices.
CISA said proactive lifecycle management of network equipment is now essential as cyber threats grow more sophisticated and persistent.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
