The Cybersecurity & Infrastructure Security Agency (CISA) issued a Binding Operational Directive—BOD 26-02: Mitigating Risk From End-of-Support Edge Devices—requiring federal agencies to inventory, remove, and replace unsupported edge devices. The CISA cited growing evidence that threat actors were actively exploiting such Internet-facing assets as initial access points.
Federal agencies were given a year to remove hardware devices that no longer receive ” timely, supported updates from the original equipment manufacturer, including patches for CVEs, security updates, software fixes (hotfixes), and defects.”
CISA further stated that it will provide an initial list of End-of-Support (EOS) and soon-to-be EOS edge devices, including the IT product name, version number, and end-of-support date.
“CISA’s directive underscores a growing reality in operational technology: unsupported edge devices are not just an IT lifecycle issue –they represent a direct risk to physical operations,” warned Joe Saunders, CEO of RunSafe Security.
Saunders told ClearanceJobs in an email that such hardware, if breached, would give attackers access to OT environments, which often rely on legacy systems that were never designed with modern security in mind. Yet, they continue to control critical processes across infrastructure and industry.
“When those devices reach end-of-support, organizations are left running technology that is unmanaged, unmonitored, and frequently unpatched — creating ideal entry points for attackers,” Saunders added.
Out With The Old
It is unclear how much older computer and networking hardware exists within the federal government, or how agencies will manage replacing it. This has been a problem years in the making, with agencies often pushing it down the road.
Sunil Gottumukkala, CEO of security provider Averlon, acknowledged that CISA has taken a step in the right direction. Gottumukkala told ClearanceJobs that more may be needed.
“Getting rid of decades-old edge devices is necessary, but replacement alone doesn’t automatically reduce risk. Most agencies already know where end-of-life devices exist. What slows progress is coordinating ownership, dependencies, and operational risk across teams,” said Gottumukkala
Is the Timeline Remotely Realistic?
As noted, the legacy hardware is a problem because it has been in service far longer than it should have been, and no plan was in place to deal with its EOS. Agencies will need to determine what needs to be replaced, how new hardware can be integrated, and how it will fit within budgets.
Rome wasn’t built in a day, and replacing years, if not decades, of old systems, could be a time-consuming effort.
“It’s unlikely that every legacy device will be replaced neatly within a year, but meaningful risk reduction is achievable if agencies prioritize the devices that sit on critical access paths and sequence remediation accordingly,” suggested Gottumukkala. “The same challenge exists across modern IT systems, especially in cloud environments where deprecated Kubernetes versions, container images, and runtimes create similar end-of-life exposure.”
However, the deadline also doesn’t address the threat in the meantime, so IT and cybersecurity staff will need to remain diligent.
“One year is aggressive for federal procurement, but the threat environment doesn’t care about acquisition timelines,” warned Suzu Labs CEO Michael Bell.
He told ClearanceJobs that nation-state actors have been exploiting edge devices from Ivanti, Fortinet, and Barracuda faster than agencies can deploy patches.
“When there’s no patch coming because the vendor dropped support, you’re operating on borrowed time,” Bell added. “Whether agencies can actually execute within that window is a different question. Federal procurement cycles don’t compress easily, and you can’t simply remove a perimeter firewall without having a replacement staged and tested. For agencies that haven’t inventoried their edge devices, three months to catalog and twelve months to replace is going to feel impossible.”
Bell suggested that, from a pure security standpoint, one year is generous. “These devices should have been replaced when they went end-of-life. The directive is playing catch-up on years of deferred maintenance,” he added.
Next Year Isn’t the Finish Line
Even as CISA has given agencies a year to complete this work, it shouldn’t be seen as a hard finish line. The experts said we should instead expect partial compliance and numerous waiver requests.
The larger agencies with mature asset management programs will meet the deadline, whereas the smaller agencies and those with distributed networks will struggle. The cuts to the federal government won’t make it easier.
“The inventory phase is going to hurt,” said Bell, who suggested that a lot of agencies don’t have complete visibility into what’s actually deployed at the network edge, especially at field offices and remote sites. “You can’t replace what you haven’t found. The three-month inventory deadline is going to surface equipment that nobody knew existed, and that discovery phase will push the replacement timeline.”
As noted, there’s a budget.
“The directive doesn’t come with funding attached,” Bell continued. “Agencies will be competing for dollars in a budget environment that’s already constrained. Some will have to choose between compliance and other mission priorities. I’d expect CISA to be flexible with agencies that demonstrate good-faith progress. The alternative is declaring half the federal government non-compliant, which doesn’t serve anyone.”
A Systemic Problem
The directive may have exposed a systemic problem with the federal government, but it is hardly the first time, and it won’t be the last. It has been years in the making and cannot be ignored.
“As OT networks become more interconnected, the attack surface expands, increasing the likelihood that a compromised device could disrupt essential services or cause real-world harm,” said Saunders. “Security leaders must assume these legacy systems will persist and prioritize protections that reduce exploitability and strengthen resilience, rather than relying solely on replacement timelines.”
However, this issue has grown because it has been too large to tackle, allowing it to expand. Only now has it reached a point where it can no longer be ignored, regardless of the cost. The risk simply outweighs the cost of doing nothing.
“Federal IT procurement has historically treated hardware as a capital expense without lifecycle planning, especially in smaller agencies and departments that may lack an established acquisition process, said Bell. “Agencies buy devices, deploy them, and don’t budget for the replacement cycle. When the manufacturer stops supporting the hardware, there’s no funding set aside for the upgrade.”
The BOD 26-02 is forcing agencies to pay that technical debt all at once.
“The pain is real, but it’s the right call. Edge devices are where attackers get their initial foothold, and running unsupported equipment at the network perimeter is accepting risk that the government shouldn’t be carrying,” said Bell, who told ClearanceJobs that the cleared community should pay attention to how this plays out at agencies handling classified systems.
“Those networks often have even longer hardware refresh cycles and more complex approval processes,” Bell stated. “If civilian agencies struggle to meet the timeline, agencies with classified infrastructure will face even steeper challenges.”
