A Cybersecurity and Infrastructure Security Agency order published Thursday directs federal agencies to stop using “edge devices” like firewalls and routers that their manufacturers no longer support.
It’s a stab at tackling one of the most persistent and difficult-to-manage avenues of attack for hackers, a vector that has factored into some of the most consequential and most common types of exploits in recent years. New edge-device vulnerabilities surface frequently.
Under the binding operational directive CISA released Thursday, federal civilian executive branch (FCEB) agencies must inventory edge devices in their systems that vendors no longer support within three months, and replace those on a dedicated list with supported devices within one year.
“Unsupported devices pose a serious risk to federal systems and should never remain on enterprise networks,” said CISA Acting Director Madhu Gottumukkala. “When the threat landscape demands decisive action, CISA will direct FCEB agencies to strengthen cyber resilience and build a stronger, safer digital infrastructure for America’s future. CISA strongly encourages non-federal organizations to adopt similar actions to strengthen the security of their edge devices.”
To aid agencies in following the directive, CISA is producing a list of end-of-service edge devices. CISA developed the directive in conjunction with the Office of Management and Budget, and puts a bit more muscle behind a decade-old OMB circular on agencies phasing out unsupported technologies.
Despite being called “binding operational directives,” CISA has no authority to mandate that agencies carry out the orders — although agencies have demonstrated they usually seek to follow them, and there are ways that CISA can work to ensure compliance. The private sector pays attention to CISA’s directives even though they don’t apply to companies.
Nick Andersen, executive assistant director for cybersecurity at CISA, told reporters Thursday that the directive wasn’t about “forcing” agencies to comply so much as working with them to find a resolution. That includes circumstances such as for operational technology that is difficult to update and replace, he said.
The directive identifies the threat to federal information systems posed by unsupported edge devices as “substantial and constant,” given the access they can provide to hackers and how they are “especially vulnerable” to freshly-discovered and unpatched flaws.
“The United States faces persistent cyber campaigns that threaten both public and private sectors, directly impacting the security and privacy of the American people,” the directive reads. “These campaigns are often enabled by unsupported devices that physically reside on the edge of an organization’s network perimeter.”
The directive cites unnamed “recent public reports of campaigns targeting certain vendors highlight actors’ attempts to use these devices as a means to pivot into FCEB information system networks.” Andersen declined to name which reports the directive refers to, but said the order “isn’t a response to any one incident or compromise.”
Under the order, agencies are also told they must develop a process within two years for regularly identifying edge devices that have become unsupported or soon will.
The one-year timeframe to decommission listed devices is to give agencies time to invest in new technology as needed, Andersen said. He said CISA did not plan to make the list public.
CISA is publishing Tuesday’s directive almost one year to the day after the agency, with other federal and international agencies, released guidance on protecting edge devices.
Updated 2/5/26: to include additional remarks from Andersen.
The post CISA tells agencies to stop using unsupported edge devices appeared first on CyberScoop.
A binding operational directive issued Thursday looks to combat an attack pathway that has been behind some of the biggest attacks and most common exploits in recent years.
The post CISA tells agencies to stop using unsupported edge devices appeared first on CyberScoop. Read MoreCyberScoop
