CISA Mandates Federal Agencies to Replace End-of-Life Network Edge Devices

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a new binding operational directive requiring federal agencies to identify and remove network edge devices that no longer receive security updates from manufacturers. It also warned that end-of-life edge devices (including routers, firewalls, and network switches) leave federal systems vulnerable to newly discovered exploits and expose them to "disproportionate and unacceptable risks."

"The imminent threat of exploitation to agency information systems running EOS edge devices is substantial and constant, resulting in a significant threat to federal property. CISA is aware of widespread exploitation campaigns by advanced threat actors targeting EOS edge devices," the cybersecurity agency said on Thursday.

"These devices are especially vulnerable to cyber exploits targeting newly discovered, unpatched vulnerabilities. Additionally, they no longer receive supported updates from the original equipment manufacturer, exposing federal systems to disproportionate and unacceptable risks."

Binding Operational Directive 26-02 Requirements

Binding Operational Directive 26-02 (BOD 26-02) mandates U.S. government agencies to decommission end-of-support (EOS) hardware and software on federal networks to prevent exploitation by advanced threat actors. The directive establishes a comprehensive timeline for agencies to address this critical security gap.

Immediate Actions Required

Federal agencies must take immediate action on vendor-supported devices running end-of-support software for which updates are available. This includes:

• Identifying all devices currently running outdated software versions
• Applying available security patches and updates
• Documenting the remediation process

Three-Month Deadline

Within three months, agencies must complete an inventory of all devices on CISA's end-of-support list. This inventory should include:

• Device type and model
• Current software/firmware version
• End-of-support date from manufacturer
• Network location and function
• Current security posture

Twelve-Month Deadline

Federal agencies have 12 months to decommission devices that reached end-of-support before the directive's issuance date. This includes older equipment that manufacturers have ceased supporting entirely.

Eighteen-Month Deadline

Within 18 months, all identified end-of-support edge devices must be replaced with vendor-supported equipment receiving current security updates. This replacement process should prioritize:

1. Devices with the most critical security vulnerabilities
2. Equipment essential to core network functions
3. Systems with the highest exposure to external threats

Long-Term Requirements

BOD 26-02 also requires agencies to establish continuous discovery processes within 24 months to identify edge devices and maintain inventories of equipment and software approaching end-of-support status. This proactive approach aims to prevent future security gaps.

Scope and Impact

While these requirements apply only to U.S. Federal Civilian Executive Branch (FCEB) agencies, CISA encourages all network defenders to follow the guidance in this fact sheet to secure systems, data, and operations against threat groups targeting network edge devices in ongoing attacks.

The directive specifically targets network edge devices including:

• Routers
• Firewalls
• Network switches
• Load balancers
• VPN concentrators
• Wireless access points

Context and Previous Actions

Three years ago, in June 2023, CISA also issued Binding Operational Directive 23-02, which requires federal civilian agencies to secure misconfigured or Internet-exposed management interfaces (e.g., routers, firewalls, proxies, and load balancers).

Months earlier, it announced that it would warn critical infrastructure organizations if they have network devices vulnerable to ransomware attacks as part of a new Ransomware Vulnerability Warning Pilot (RVWP) program.

Related Security Concerns

This directive comes amid growing concerns about vulnerabilities in network infrastructure. Recent CISA alerts have highlighted several critical issues:

• VMware ESXi flaw now exploited in ransomware attacks
• Five-year-old GitLab flaw exploited in attacks
• Critical SolarWinds RCE flaw as exploited in attacks
• SolarWinds Web Help Desk flaw is now exploited in attacks

These ongoing threats demonstrate why CISA considers end-of-life edge devices to be such a significant security risk. Without manufacturer support and security updates, these devices become easy targets for threat actors who can exploit known vulnerabilities that will never be patched.

Implementation Guidance

Federal agencies should begin by conducting comprehensive network inventories to identify all edge devices and their current support status. This process should include:

1. Reviewing manufacturer end-of-support documentation
2. Checking current firmware and software versions
3. Identifying devices with known vulnerabilities
4. Prioritizing replacement based on risk assessment

Agencies should also establish relationships with vendors to ensure they receive timely notifications about end-of-support dates and security updates for their network infrastructure.

Broader Implications

The directive highlights the critical importance of lifecycle management for network infrastructure. Private sector organizations and state/local governments would be wise to conduct similar assessments of their own edge devices, even though they're not formally bound by this directive.

As cyber threats continue to evolve and become more sophisticated, maintaining up-to-date, supported network infrastructure becomes increasingly critical for organizational security. The cost of replacing end-of-life equipment is far less than the potential damage from a successful cyber attack exploiting unpatched vulnerabilities.