Amid exploitation campaigns targeting end of support (EOS) edge devices, the US’ leading cybersecurity agency has issued a directive to decommission all such devices within 12 months.

On February 5, the Cybersecurity and Infrastructure Security Agency (CISA) published Binding Operational Directive 26-02: Mitigating Risk From End-of-Support Edge Devices.

The directive applies to all civil federal, executive branch, departments and agencies.

“The imminent threat of exploitation to agency information systems running EOS edge devices is substantial and constant, resulting in a significant threat to federal property,” said CISA in a statement.

The agency noted that, unlike other attack vectors, this issue can be remediated by following lifecycle management practices, which are outlined in the directive.

EOS devices deployed on the “edge” or public-facing areas of federal networks, exposed to external environments such as the internet are being specifically targeted by the decommissioning.

CISA noted that EOS devices ought not to reside elsewhere on federal networks.

End‑of‑life devices have become attractive targets for nation‑state threat actors, who increasingly exploit outdated or unsupported hardware as an entry point into networks.

Timeline for End-of-Life Device Decommissioning

To first support agencies identify EOS devices, CISA has developed an EOS Edge Device List.

Using this list, federal agencies are required to identify and remediate vulnerabilities within the first three months of directive issuance. 

All devices with an EOS date on or before 12 months from the issuance of the directive must be decommissioned and the action reported to CISA.

All edge devices with an EOS within the following 12 months must be inventoried.

Within 18 months from the directive issue date, all identified d EOS edge devices from agency networks, replacing devices as needed with vendor-supported devices that can receive current security updates.

Next, agencies must, within two years, establish a process for continuous discovery of all edge devices within their environments and maintain an inventory of those that are EOS or will become EOS within twelve months.