The Cybersecurity and Infrastructure Security Agency has introduced a new directive requiring federal civilian executive branch, or FCEB, agencies to strengthen security controls for edge devices by removing unsupported hardware and software from federal networks.
CISA’s new directive highlights the continued focus on strengthening cybersecurity across government networks. As agencies and industry stakeholders track evolving requirements and threat-driven priorities, the Potomac Officers Club’s 2026 Cyber Summit will bring together leaders from across the federal cyber community. Register now to save your seat at this May 21 event!
CISA said Thursday the directive—Binding Operational Directive 26-02, Mitigating Risk From End-of-Support Edge Devices—is intended to reduce technical debt and limit the risk of cyber compromise associated with devices that no longer receive vendor security updates.
Table of Contents
What Are the Required Actions Under the CISA Edge Device Security Directive?
CISA outlined several mandatory steps agencies must take under the directive, including updating vendor-supported edge devices running end-of-support software to a vendor-supported version and conducting an inventory of all devices to identify those that are end-of-support. Agencies must also report inventory findings to CISA.
The directive also requires agencies to remove all end-of-support edge devices from agency networks and replace them as needed with vendor-supported devices that can receive security updates. Agencies must develop a mature lifecycle management process for continuous discovery of edge devices and maintain an inventory of those that are or will become end-of-support.
What Did CISA Leadership Say About Edge Device Security?
CISA Acting Director Madhu Gottumukkala said unsupported edge devices should not remain on enterprise networks due to the risk they pose to federal systems.
“When the threat landscape demands decisive action, CISA will direct FCEB agencies to strengthen cyber resilience and build a stronger, safer digital infrastructure for America’s future. CISA strongly encourages non-federal organizations to adopt similar actions to strengthen the security of their edge devices,” added Gottumukkala.
Nick Andersen, executive assistant director for cybersecurity at CISA, said removing unsupported edge devices is a key part of maintaining cyber hygiene and reducing risk across government systems.
“Driving timely risk reduction across the federal enterprise is critical, but true impact comes when all organizations commit to the same goal. By proactively managing asset lifecycles and removing end-of-support technology, we can collectively strengthen resilience and protect the global digital ecosystem,” Andersen noted.
What Are CISA’s Recent Directives & Actions?
CISA has taken several recent actions to address urgent cyber risks across federal networks. The agency previously issued an emergency directive requiring agencies to identify and update at-risk F5 virtual and physical devices and software. CISA has also released a directive related to vulnerabilities in Cisco Adaptive Security Appliance and Firepower devices, citing exploitation concerns and required mitigation steps.
In January, CISA announced the retirement of 10 older emergency directives, noting that the required actions had been completed or incorporated into broader federal vulnerability management requirements under Binding Operational Directive 22-01.
