The Cybersecurity and Infrastructure Security Agency (CISA) told federal agencies on Thursday that they must immediately begin ripping and replacing all end-of-support edge devices.
In a binding operational directive (BOD), CISA said that agencies must update end-of support edge devices on their networks, which are devices that are no longer supported by their vendors. These devices are especially vulnerable to cyber threat campaigns that target unsupported devices sitting on an organization’s network perimeter, the agency explained.
To address that risk, CISA said federal civilian agencies must update devices to vendor-supported software, inventory and report unsupported equipment to CISA, remove and replace end-of-support devices as needed, and establish mature lifecycle management processes to ensure continuous visibility into edge devices and their support status.
“Unsupported devices pose a serious risk to federal systems and should never remain on enterprise networks,” said CISA Acting Director Madhu Gottumukkala in a statement.
“CISA strongly encourages non-federal organizations to adopt similar actions to strengthen the security of their edge devices,” he added.
The BOD’s specific timeline for completion directs agencies to inventory all devices within three months and remove and begin replacing those devices within 12 months.
In 18 months, all identified end-of-support devices must be fully decommissioned and replaced with supported devices. Within 24 months, agencies must establish mature lifecycle management processes for continuous discovery and inventory of edge devices approaching end-of-support.
CISA said it will monitor compliance with the BOD and assess agencies’ progress while providing support as required.
“Practicing good cyber hygiene starts with eliminating unsupported edge devices,” said?CISA Executive Assistant Director for Cybersecurity Nick Andersen. “By proactively managing asset lifecycles and removing end-of-support technology, we can collectively strengthen resilience and protect the global digital ecosystem.”