CISA Orders Federal Agencies to Dump End-of-Life Edge Gear

CISA dropped Binding Operational Directive 26-02 on February 5, ordering every Federal Civilian Executive Branch agency to inventory, patch, and ultimately rip out network edge devices that no longer receive manufacturer security updates. The directive puts hard deadlines on something federal IT teams have been kicking down the road for years: replacing aging routers, firewalls, and switches that sit at the network perimeter with zero vendor support.

The reasoning is blunt. "Persistent cyber threat actors are increasingly exploiting unsupported edge devices," CISA wrote, describing the risk as "substantial and constant."

What BOD 26-02 Requires

The directive lays out a staged timeline:

• Immediately: Update any vendor-supported edge device that's currently running end-of-support software where a newer version exists
• Within 3 months: Catalog all devices against CISA's new end-of-support edge device list and report findings
• Within 12 months: Decommission every device on CISA's list that had already reached end-of-support before the directive was issued
• Within 18 months: Replace all remaining end-of-support devices with vendor-supported equipment
• Within 24 months: Stand up a continuous discovery process to track new devices approaching end-of-support

The scope is broad. CISA's definition of "edge devices" covers firewalls, routers, switches, load balancers, wireless access points, network security appliances, IoT edge devices, and software-defined networking components. Basically anything sitting between an agency's internal network and the outside world.

The Threat Context

This didn't come out of nowhere. State-sponsored actors—particularly groups linked to China and Russia—have been hammering end-of-life edge devices as preferred entry points for years now. These devices don't get patched, often run outdated firmware with known CVEs, and provide a persistent foothold that's hard to detect.

We've covered this pattern repeatedly: CISA's BrickStorm warnings about PRC actors using compromised network appliances, the ongoing FortiGate authentication bypasses that keep getting exploited months after disclosure, and the D-Link router zero-day affecting devices D-Link stopped supporting five years ago.

BOD 26-02 is CISA's most direct acknowledgment yet that patching alone isn't enough—some devices simply need to go.

Who This Applies To

The mandate targets FCEB agencies specifically, but CISA is encouraging all organizations—state, local, and private sector—to follow the same guidance. The agency published an accompanying fact sheet with the end-of-support device list to help non-federal organizations audit their own networks.

For private companies, the directive serves as a benchmark. If your organization is running the same end-of-life gear that CISA is telling federal agencies to trash, that's a signal worth acting on.

Why This Matters

Network edge devices are the front door to every organization, and unsupported ones are front doors with broken locks. The challenge isn't understanding the risk—it's the budget and logistics of replacing hardware at scale across sprawling federal networks.

The 12-to-18-month timelines are aggressive by government standards, and agencies that have been deferring hardware refreshes will feel the pressure. But the alternative—leaving known-vulnerable, unpatchable devices in place while nation-state actors actively target them—isn't really an alternative at all.

For security teams outside the federal government, BOD 26-02 is a useful reference point when making the case to leadership for hardware lifecycle management. CISA just gave you a directive you can point to. For more on building a comprehensive security posture against these threats, our guides cover the fundamentals that apply to organizations of any size.