IN Brief:
- BOD 26-02 targets end-of-support devices deployed at network edges.
- Federal agencies are directed to remove unsupported hardware and software.
- Guidance also urges wider adoption beyond federal networks where feasible.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a Binding Operational Directive (BOD) requiring federal agencies to eliminate unsupported edge devices from their networks, targeting hardware and software that no longer receives vendor security updates.
The directive focuses on the “edge” — public-facing or perimeter-deployed infrastructure where routers, firewalls, gateways, and similar devices sit directly exposed to external threat activity. The security logic is blunt: once a device reaches end-of-support, vulnerabilities accumulate without remediation, and defenders are left managing risk with compensating controls that often fail under determined exploitation.
CISA’s directive, BOD 26-02, specifically addresses end-of-support (EOS) devices deployed on the edge of federal networks and requires agencies to mitigate the risk by removing unsupported hardware and software from service. Separately, CISA has published supporting guidance on reducing the attack surface for EOS edge devices, defining an unsupported device as one where the manufacturer no longer monitors defects, releases patches, or provides security advisories and updates.
Alongside the directive, CISA-backed guidance encourages broader adoption beyond the federal civilian executive branch, reflecting a common operational problem: federal agencies are rarely isolated from the wider ecosystem. Supply chain partners, managed service providers, and shared infrastructure environments can reintroduce the same exposure patterns if end-of-support devices remain in use elsewhere, particularly where remote management interfaces or internet-facing services are involved.
For the defence industrial base and other critical infrastructure operators, the directive is a clear signal of where enforcement attention is moving. Unsupported edge devices are attractive targets because they are both high-value and, from an attacker’s perspective, forgiving: old vulnerabilities are well understood, exploit chains are widely circulated, and patching is no longer an option. When compromise occurs, edge devices are also positioned to enable lateral movement, credential interception, or persistent access that survives endpoint clean-up activity.
The operational response is rarely painless. Replacing perimeter equipment can require re-certification, downtime planning, configuration migration, and dependency mapping that exposes how much “temporary” infrastructure has become permanent. CISA’s move is designed to force that reckoning in a controlled way, before adversaries do it for agencies under incident conditions.
