top of page
Search

CISA Mandates Agencies to Replace Unsupported Edge Devices for Improved Federal Network Security

  • Feb 6
  • 2 min read

Key Findings


  • CISA has issued a binding operational directive ordering federal civilian executive branch (FCEB) agencies to stop using "edge devices" like firewalls and routers that their manufacturers no longer support.

  • The directive aims to tackle a persistent attack vector that has factored into major and common cyber exploits in recent years.

  • Unsupported edge devices pose serious risks as they are vulnerable to newly discovered and unpatched flaws that can provide hackers access to agency networks.


Background


  • CISA developed the directive in conjunction with the Office of Management and Budget, building on a decade-old OMB circular on phasing out unsupported technologies.

  • CISA has no direct authority to mandate agency compliance, but agencies generally seek to follow the agency's binding directives.

  • The private sector also pays attention to CISA's directives, even though they don't directly apply to companies.


Directive Requirements


  • Agencies must inventory all edge devices in their systems that vendors no longer support, within 3 months.

  • Agencies must replace those devices on a CISA-provided list with supported devices within 1 year.

  • Agencies must also develop a process within 2 years to regularly identify edge devices that become unsupported or will soon be.

  • CISA is not planning to make the list of unsupported edge devices public.


Rationale and Threat Landscape


  • CISA cites the "substantial and constant" threat posed by unsupported edge devices, which can provide hackers easy access to agency networks.

  • Recent public reports have highlighted actors' attempts to use these devices as a means to breach federal information systems.

  • CISA says the directive is not a response to any single incident, but rather aimed at addressing a persistent and pervasive threat.


CISA Approach and Compliance


  • CISA says the directive is about working with agencies to find solutions, not "forcing" compliance.

  • This includes addressing challenges, such as for operational technology that is difficult to update and replace.

  • While CISA has no direct enforcement authority, the agency can work to ensure compliance through other means.


Sources


  • https://cyberscoop.com/cisa-bod-directive-unsupported-edge-devices-firewalls-routers/

  • https://thehackernews.com/2026/02/cisa-orders-removal-of-unsupported-edge.html

  • https://ground.news/article/cisa-tells-agencies-to-stop-using-unsupported-edge-devices_e7d9a6

  • https://federalnewsnetwork.com/cybersecurity/2026/02/cisa-tells-agencies-to-identify-upgrade-unsupported-edge-devices/

  • https://www.cybersecuritydive.com/news/cisa-edge-devices-binding-operational-directive/811539/

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page