In a move to seal a persistent security vulnerability, the Cybersecurity and Infrastructure Security Agency (CISA) is mandating all civilian federal agencies to identify and remove aging routers, firewalls, and other edge devices that vendors no longer support.
Binding Operational Directive 26-02 focuses on outdated network perimeter hardware that vendors no longer support. Officials warn that these devices are a common starting point for attackers because unpatched security vulnerabilities remain exposed.
Issued in coordination with the Office of Management and Budget, BOD 26-02 establishes strict deadlines for a broad overhaul of federal IT infrastructure. The directive covers routers, VPN gateways, firewalls, and switches, which control network traffic but pose security risks when left unmaintained.
“Once exploited, attackers can move laterally, steal data, or disrupt mission-critical operations,” said Nick Andersen, CISA’s Executive Assistant Director for Cybersecurity. He noted that both state-backed and financially motivated actors increasingly target such devices, leveraging unpatched firmware flaws.
CISA acting director Madhu Gottumukkala described the directive as long overdue and necessary, pointing to years of cases in which attackers bypassed modern internal controls by exploiting unsupported network devices.
Strict Timelines for Removal
Under the directive:
- Agencies have three months to produce a complete inventory of edge equipment and flag devices past their vendor support date.
- Any still-supported devices must be patched immediately, while unsupported ones must be replaced within 12 months.
- All end-of-support hardware must be purged from government networks within 18 months.
- Agencies must also establish continuous tracking to prevent outdated gear from being reintroduced later.
CISA cited its Known Exploited Vulnerabilities catalog, which includes multiple cases of attackers abusing discontinued network hardware. Among them are an exploit in unsupported D-Link routers used last December and a 2025 espionage campaign tied to Chinese state-linked actors that relied on aging network equipment.
While BOD 26-02 is mandatory for civilian federal agencies, it does not impose direct financial or legal penalties. Instead, CISA and the Office of Management and Budget will monitor progress and publicly report on compliance, a level of scrutiny that typically elevates such directives to high priority.
CISA has developed an internal End-of-Support Edge Device List to help agencies identify commonly used devices that are nearing or past the end of vendor support. The list will not be made public due to concerns that it could expose potential targets to adversaries.
CISA is also urging organizations outside the federal executive branch, including state, local, tribal, territorial, and private sector entities, to work directly with vendors to understand their equipment support timelines and apply similar risk-mitigation measures.
Maybe you would like other interesting articles?