top of page
Search

CISA Mandates Agencies to Replace Unsupported Edge Devices for Improved Federal Network Security

  • Feb 6
  • 2 min read

Key Findings


  • CISA has issued a binding operational directive ordering federal civilian executive branch (FCEB) agencies to stop using "edge devices" like firewalls and routers that their manufacturers no longer support.

  • The directive aims to tackle a persistent attack vector that has factored into major and common cyber exploits in recent years.

  • Unsupported edge devices pose serious risks as they are vulnerable to newly discovered and unpatched flaws that can provide hackers access to agency networks.


Background


  • CISA developed the directive in conjunction with the Office of Management and Budget, building on a decade-old OMB circular on phasing out unsupported technologies.

  • CISA has no direct authority to mandate agency compliance, but agencies generally seek to follow the agency's binding directives.

  • The private sector also pays attention to CISA's directives, even though they don't directly apply to companies.


Directive Requirements


  • Agencies must inventory all edge devices in their systems that vendors no longer support, within 3 months.

  • Agencies must replace those devices on a CISA-provided list with supported devices within 1 year.

  • Agencies must also develop a process within 2 years to regularly identify edge devices that become unsupported or will soon be.

  • CISA is not planning to make the list of unsupported edge devices public.


Rationale and Threat Landscape


  • CISA cites the "substantial and constant" threat posed by unsupported edge devices, which can provide hackers easy access to agency networks.

  • Recent public reports have highlighted actors' attempts to use these devices as a means to breach federal information systems.

  • CISA says the directive is not a response to any single incident, but rather aimed at addressing a persistent and pervasive threat.


CISA Approach and Compliance


  • CISA says the directive is about working with agencies to find solutions, not "forcing" compliance.

  • This includes addressing challenges, such as for operational technology that is difficult to update and replace.

  • While CISA has no direct enforcement authority, the agency can work to ensure compliance through other means.


Sources


  • https://cyberscoop.com/cisa-bod-directive-unsupported-edge-devices-firewalls-routers/

  • https://thehackernews.com/2026/02/cisa-orders-removal-of-unsupported-edge.html

  • https://ground.news/article/cisa-tells-agencies-to-stop-using-unsupported-edge-devices_e7d9a6

  • https://federalnewsnetwork.com/cybersecurity/2026/02/cisa-tells-agencies-to-identify-upgrade-unsupported-edge-devices/

  • https://www.cybersecuritydive.com/news/cisa-edge-devices-binding-operational-directive/811539/

Recent Posts

See All

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page