{"id":15723,"date":"2026-02-06T11:51:32","date_gmt":"2026-02-06T11:51:32","guid":{"rendered":"https:\/\/newestek.com\/?p=15723"},"modified":"2026-02-06T11:51:32","modified_gmt":"2026-02-06T11:51:32","slug":"cisa-gives-federal-agencies-18-months-to-purge-unsupported-edge-devices","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15723","title":{"rendered":"CISA gives federal agencies 18 months to purge unsupported edge devices"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>The Cybersecurity and Infrastructure Security Agency has given federal agencies 18 months to remove all end-of-support edge devices from their networks, escalating its response to what security researchers describe as a fundamental shift in nation-state attack tactics, where attackers exploit network infrastructure rather than endpoints.<\/p>\n<p>The <a href=\"https:\/\/www.cisa.gov\/news-events\/directives\/bod-26-02-mitigating-risk-end-support-edge-devices\" target=\"_blank\" rel=\"noreferrer noopener\">binding operational directive<\/a>, BOD 26-02, requires Federal Civilian Executive Branch (FCEB) agencies to inventory, update where possible, and ultimately replace firewalls, routers, VPN gateways, load balancers, and network security appliances that no longer receive vendor security patches. CISA warned that the threat from these unsupported devices is \u201csubstantial and constant.\u201d<\/p>\n<p>\u201cUnsupported devices pose a serious risk to federal systems and should never remain on enterprise networks,\u201d CISA Acting Director Madhu Gottumukkala said in the directive.<\/p>\n<p>The directive requires FCEB agencies to immediately update any edge device running outdated software to vendor-supported versions where possible. \u00a0Within three months, agencies must inventory all end-of-support devices using CISA\u2019s EOS Edge Device List and report findings. Within 12 months, agencies must begin removing devices that have reached end-of-support dates. The 18-month deadline requires all unsupported edge devices to be permanently removed and replaced.<\/p>\n<h2 class=\"wp-block-heading\" id=\"why-edge-devices-became-prime-targets\">Why edge devices became prime targets<\/h2>\n<p>\u201cEdge devices differ fundamentally from traditional IT assets, as they are often end of support, custom, OEM and process dependent,\u201d Avinash Dev Nagumanthri, director analyst at Gartner, told CSO. \u201cThis makes discovery, patching, and replacement difficult under tight budgets while maintaining uptime.\u201d<\/p>\n<p><a href=\"https:\/\/www.csoonline.com\/article\/4128748\/Nation-state%20actors%20exploiting%20outdated%20firewalls%20and%20routers%20prompted%20the%20directive%20requiring%20agencies%20to%20inventory%20and%20replace%20unsupported%20network%20perimeter%20devices\">Network edge devices<\/a> have become one of the top initial access vectors for state-affiliated cyberespionage groups and ransomware gangs. Research shows a dramatic increase in edge device exploitation, with <a href=\"https:\/\/www.csoonline.com\/article\/4031603\/32-of-exploited-vulnerabilities-are-now-zero-days-or-1-days.html\">network edge vulnerabilities seeing an 8x increase<\/a> in exploitation activity. The <a href=\"https:\/\/www.mandiant.com\/m-trends\">2025 Mandiant M-Trends report<\/a> found that 21% of ransomware attacks featured vulnerability exploitation as the initial access vector.<\/p>\n<p>CISA has <a href=\"https:\/\/www.cisa.gov\/news-events\/cybersecurity-advisories\/aa25-239a\">documented nation-state campaigns<\/a> targeting devices from Cisco, Fortinet, Palo Alto Networks, Ivanti, Juniper, and other vendors. The agency noted that these devices have become attractive targets because of their position at the network boundary, integration with identity management systems, and privileged access for lateral movement. Once compromised, they enable threat actors to intercept network traffic, harvest credentials, and exfiltrate sensitive data while evading traditional endpoint detection.<\/p>\n<p>Nagumanthri noted that edge devices protecting critical infrastructure can have physical impacts when compromised, putting high-value systems in sectors like water and transportation at risk. \u201cNation-state actors are increasingly exploiting edge devices as entry points into infrastructure, threatening critical private sector operations.\u201d<\/p>\n<p>The directive follows two recent emergency directives. In September, CISA issued <a href=\"https:\/\/www.cisa.gov\/news-events\/news\/cisa-issues-emergency-directive-requiring-federal-agencies-identify-and-mitigate-cisco-zero-day\" target=\"_blank\" rel=\"noreferrer noopener\">Emergency Directive 25-03<\/a> after threat actors exploited zero-day vulnerabilities in Cisco Adaptive Security Appliances, deploying persistent malware that survived reboots. In October, <a href=\"https:\/\/www.cisa.gov\/news-events\/directives\/ed-26-01-mitigate-vulnerabilities-f5-devices\" target=\"_blank\" rel=\"noreferrer noopener\">another emergency directive<\/a> followed the compromise of F5 Networks\u2019 development environment, where attackers exfiltrated BIG-IP source code.<\/p>\n<h2 class=\"wp-block-heading\" id=\"implementation-hurdles\">Implementation hurdles<\/h2>\n<p>Sunil Varkey, advisor at Beagle Security, warns of implementation complexities. \u201cThe operational reality of removing legacy systems is not straightforward,\u201d Varkey said. \u201cLegacy devices continue to exist not by design, but by necessity.\u201d<\/p>\n<p>He pointed to orphaned systems that remain live and embedded in workflows but lack clear ownership, and operational technology environments where newer hardware or software versions are not available, compatible, or certified. The process requires asset discovery, risk assessment, procurement, configuration redesign, data migration, testing, and managed cutovers to avoid service disruption.<\/p>\n<p>\u201cA common challenge will be the presence of \u2018orphaned\u2019 or \u2018ghost\u2019 systems \u2014 devices that are live, embedded in workflows, but no longer clearly owned,\u201d Varkey said. \u201cThese systems often persist because \u2018they\u2019ve always worked,\u2019 even when no one fully understands their function.\u201d<\/p>\n<h2 class=\"wp-block-heading\" id=\"private-sector-implications\">Private sector implications<\/h2>\n<p>While the directive applies only to federal civilian agencies, CISA strongly encourages private sector organizations to adopt similar measures. The exploitation campaigns targeting federal networks pose equivalent risks to critical infrastructure and commercial enterprises.<\/p>\n<p>Nagumanthri recommended that organizations treat edge and cyber-physical systems as Tier-0 assets, enforce strong authentication, implement network segmentation, require vendor-supported firmware updates, and centralize logging to limit blast radius. For the private sector, he advocated structured lifecycle management with secure-by-design hardware, continuous monitoring, and controlled updates with rollback capabilities.<\/p>\n<p>Varkey saw the directive as a catalyst for modernization beyond compliance. \u201cWhile the short-term impact will be challenging, the outcome is a more secure, accountable, and defensible infrastructure \u2014 one better aligned with today\u2019s threat realities and tomorrow\u2019s operational needs.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>The Cybersecurity and Infrastructure Security Agency has given federal agencies 18 months to remove all end-of-support edge devices from their networks, escalating its response to what security researchers describe as a fundamental shift in nation-state attack tactics, where attackers exploit network infrastructure rather than endpoints. The binding operational directive, BOD 26-02, requires Federal Civilian Executive Branch (FCEB) agencies to inventory, update where possible, and ultimately&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=15723\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15723","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15723","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15723"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15723\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15723"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15723"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15723"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}