CISA Orders Agencies to Patch and Replace End-of-Life Devices, Citing Active Exploitation
•February 5, 2026
0
Why It Matters
Legacy, unsupported devices present a critical vulnerability that can be leveraged to compromise federal networks, and their systematic removal reduces national cyber risk while setting a security benchmark for the broader enterprise sector.
Key Takeaways
- •CISA mandates three‑month inventory of end‑of‑support edge devices.
- •Agencies have 12 months to replace, 18 to eliminate.
- •Advanced hackers, including nation‑state actors, actively exploiting these devices.
- •No fines; compliance tracked through OMB oversight.
- •Directive urges private sector to adopt similar edge‑device security.
Pulse Analysis
Legacy network hardware—routers, switches, firewalls—often lingers in government environments long after vendors cease issuing patches. These end‑of‑support (EOS) devices become low‑cost, high‑impact entry points for sophisticated adversaries, especially when they expose internet‑facing services. By publicly acknowledging ongoing exploitation campaigns, CISA underscores the urgency of addressing this hidden risk, aligning with broader federal initiatives to harden the supply chain and reduce attack surface across critical infrastructure.
The new binding operational directive (BOD‑26‑02) sets a phased timeline: a three‑month window for agencies to catalog all EOS edge devices, a twelve‑month period to procure and install replacements, and an eighteen‑month deadline to fully retire the legacy equipment. Agencies must also upgrade any still‑supported devices to current firmware without disrupting mission‑critical operations. While CISA does not levy monetary penalties, it will collaborate with the Office of Management and Budget to monitor progress, leveraging existing procurement cycles and fiscal year planning to spread costs and minimize operational impact.
Beyond the federal sphere, the directive serves as a de‑facto industry standard. Private enterprises that share similar technology stacks can adopt the same inventory and remediation cadence, mitigating the same threat vectors that have plagued government networks. As nation‑state actors continue to target outdated infrastructure, proactive replacement of EOS devices becomes a cornerstone of cyber resilience, reinforcing the broader push toward zero‑trust architectures and continuous monitoring across both public and private sectors.
CISA orders agencies to patch and replace end-of-life devices, citing active exploitation
The Cybersecurity and Infrastructure Security Agency said Thursday it detected widespread exploitation of unsupported, internet-facing devices by advanced hackers and ordered federal agencies to begin a monthslong process of removing and replacing that outdated equipment.
The binding operational directive focuses on edge devices, many of which remain in service long after software vendors stop issuing security updates, increasing the risk of exploitation.
“The imminent threat of exploitation to agency information systems running EOS edge devices is substantial and constant, resulting in a significant threat to federal property. CISA is aware of widespread exploitation campaigns by advanced threat actors targeting EOS edge devices,” the directive says.
On a call with reporters, Nick Andersen, executive assistant director for cybersecurity at CISA, said that some of the hackers have ties to nation state adversaries.
“We’re encouraging other organizations to follow our lead and adopt similar actions to strengthen the security of their edge devices. Put simply, unsupported devices should never remain on enterprise networks,” he said. The directive isn’t a response to any one compromise, he added, though he declined to name specific incidents that motivated the directive’s issuance.
Legacy systems are a repeated, common avenue that government agencies continue to struggle to secure, making them attractive targets for advanced threat actors once security updates lapse. At any point in time, hackers may be targeting federal computer networks, which frequently house sensitive data tied to government operations, public services and national functions.
The directive gives agencies three months to identify unsupported edge devices, a year to begin removing them and 18 months to eliminate them entirely, before requiring continuous monitoring to prevent outdated systems from returning to federal networks.
Agencies must immediately update any vendor-supported edge devices running end-of-support software to supported versions, where doing so does not disrupt mission-critical operations.
The month-by-month deadlines are meant to “allow time for organizations to do a thorough inventory,” added Andersen. The agency does not plan to make the list publicly available, and Andersen said that some agencies and organizations could have different tech stacks that don’t map cleanly to the federal-focused list.
“In many cases, this may require investing in new devices,’ he said. “So we’re encouraging all organizations to implement this guidance in the directive as soon as possible. But you know, providing for a 12-month timeline, in particular for the decommission item ... that gives us an opportunity as well to look at this across multiple fiscal years and across our federal government partners.”
A year ago, the cyberdefense agency issued similar guidance on edge device security with international partners signed on.
Although binding operational directives carry mandatory requirements for federal civilian agencies, CISA does not directly enforce them through fines or penalties and instead works with the Office of Management and Budget to track compliance with the orders.
]]>
0
Comments
Want to join the conversation?
Loading comments...