The CISA order that requires the removal of the edge devices from the network in order to support

The United States Infrastructure and Cybersecurity Agency (CISA) has launched a mandatory order that requires federal agencies to identify and remove from their networks the border devices - such as routers, firewalls and switches - that no longer receive security updates from their manufacturers. With this measure, the administration seeks to address a risk that, according to CISA, facilitates systematic exploitation by advanced actors and leaves critical systems exposed to newly discovered vulnerabilities.

The fundamental problem is simple and urgent: When a computer or software enters its "end-of-support" stage, it stops receiving patches. That makes that team a permanent target for attackers looking for uncorrected vulnerabilities. The new directive, called Binding Operational Directive 26-02, requires federal agencies to act with specific time frames: to invent devices in an end-of-support list in a few months, to immediately remove those for which updates are available, and to complete the replacement of all off-support equipment within a wider period of months. You can read the text of the directive on the official CISA page Here..

The standard divides the actions into phases: first, a rapid and prioritized identification of vulnerable devices; then, the immediate uninstallation or updating of equipment where the manufacturer still offers patches; in the medium term, the retirement of hardware that was already out of support before the order; and finally, the implementation of continuous processes to discover and monitor the inventory of the edge infrastructure. In parallel, CISA encourages non-federal network operators and advocates to implement the same recommendations by consulting an IC3 team information sheet available here.

Why a focus on the edge devices? Because these devices control the flow of traffic between internal and external networks; a vulnerable router or firewall can be the gateway to an entire network. In addition, they are often managed less rigorously than servers or workstations, are installed in heterogeneous environments and sometimes remain without revision. This combination makes them an attractive vector for automated exploitation campaigns and for actors seeking to pivote into more valuable assets within an organization.

The mandate is the result of incidents and trends observed by the CISA itself and the security community: extensive exploitation of end-of-life devices, targeted attacks that use vulnerabilities without patches or weak credentials, and the existence of persistent campaigns that use these weaknesses to introduce ransomware, back doors or steal information. The agency has been issuing similar directives in recent years; for example, in 2023 it published another order to close management interfaces exposed on the Internet - a related problem - and in parallel launched pilot programmes to warn organizations about the risks of ransomware on their network devices.

What can organizations do today, even if they are not federal agencies? The first measure is simple in concept but requires work: to know what is connected to the network. Maintaining an updated and automated inventory of equipment and software / firmware versions is the basis for any security effort. It is then recommended to segregate traffic, apply strict access controls for management interfaces, monitor with intrusion detection and rely on compensatory measures (such as white lists, deep package inspection or segmentation) while replacing critical equipment. CISA and other agencies offer guides and technical sheets with concrete measures; the IC3 directive and information sheet are good starting points, and the NIST Cybersecurity Framework can help prioritize risks and controls ( NIST Cybersecurity Framework).

There is, however, a practical dimension that often complicates implementation: costs and life cycle management. Organizations face limited budgets, supplier contracts and interoperability of existing systems. This is why CISA structures the directive with time-limits: it allows to prioritize more critical assets and to apply temporary solutions in the least urgent, always with the obligation to reach a supported infrastructure. However, the agency stresses that keeping equipment out of support is no longer an acceptable option in terms of risk.

The implicit message for the private sector and IT administrators is clear: even if the order is mandatory only for certain agencies, no one should rely on devices that do not receive patches. Network advocates must assume that the attackers are already looking for those back doors, and act accordingly. For those who want media coverage and topic analysis, specialized media have closely followed the announcement; for example, you can find a technical report on the order and its implications in security media such as BleepingComputer Here..

In the end, this directive is a call for attention: the attack surface is not abstract, it is made up of physical and virtual equipment with expiry dates. Identify, patch or replace, and maintain continuous discovery processes - that is the way to reduce avoidable risks -. Organizations taking these measures will now be better placed to resist the exploitation campaigns that, according to CISA, are already being deployed against edge devices worldwide.