The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered Federal Civilian Executive Branch (FCEB) agencies to strengthen asset lifecycle management for edge network devices and remove those that no longer receive security updates from original equipment manufacturers (OEMs) over the next 12 to 18 months.
The agency said the move is to drive down technical debt and minimize the risk of compromise, as state-sponsored threat actors turn such devices as a preferred access pathway for breaking into target networks.
Edge devices is an umbrella term that encompasses load balancers, firewalls, routers, switches, wireless access points, network security appliances, Internet of Things (IoT) edge devices, software-defined networks, and other physical or virtual networking components that route network traffic and hold privileged access.
“Persistent cyber threat actors are increasingly exploiting unsupported edge devices — hardware and software that no longer receive vendor updates to firmware or other security patches,” CISA said. “Positioned at the network perimeter, these devices are especially vulnerable to persistent cyber threat actors exploiting a new or known vulnerability.”
To assist FCEB agencies in this regard, CISA said it has developed an end-of-support edge device list that acts as a preliminary repository with information about devices that have already reached end-of-support or are expected to lose support. This list will include the product name, version number, and end-of-support date.
The newly issued Binding Operational Directive 26-02, Mitigating Risk From End-of-Support Edge Devices, requires FCEB agencies to undertake the following actions –
- Update each vendor-supported-edge device running end-of-support software to a vendor-supported software version (With immediate effect)
- Catalog all devices to identify those that are end-of-support and report to CISA (Within three months)
- Decommission all edge devices that are end-of-support and listed in the edge device list from agency networks and replace them with vendor-supported devices that can receive security updates (Within 12 months)
- Decommission all other identified edge devices from agency networks and replace with vendor-supported devices that can receive security updates (Within 18 months)
- Establish a lifecycle management process to enable continuous discovery of all edge devices and maintain an inventory of those that are/will reach end-of-support (Within 24 months)
“Unsupported devices pose a serious risk to federal systems and should never remain on enterprise networks,” said CISA Acting Director Madhu Gottumukkala. “By proactively managing asset lifecycles and removing end-of-support technology, we can collectively strengthen resilience and protect the global digital ecosystem.”
