Full Report
The U.S. cyber defense agency issued an operational directive on Thursday mandating federal agencies to “remove any hardware and software devices that is no longer supported by its original equipment manufacturer.”
Analysis Summary
# Regulation/Compliance: CISA BOD Mandate on End-of-Life Edge Device Removal
## Overview
This operational directive mandates that U.S. Federal agencies must identify and remove all hardware and software devices from their networks that are no longer supported (End-of-Life or End-of-Service) by their Original Equipment Manufacturer (OEM). The primary driver is mitigating significant risk posed by sophisticated cyber threat actors, including nation-states, who actively exploit vulnerabilities in unsupported edge devices.
## Key Details
- Issuing Authority: Cybersecurity and Infrastructure Security Agency (CISA)
- Effective Date: The directive was issued on Thursday (implied to be February 5th, 2026, based on article date).
- Jurisdiction: U.S. Federal Civilian Agencies.
- Status: Final (Operational Directive - Binding).
## Requirements
### Mandatory Requirements
1. **Device Removal:** Agencies must remove *any* hardware and software device that is no longer supported by its OEM from enterprise networks.
2. **Inventory Submission:** Agencies must provide CISA with an inventory of all identified end-of-life devices (based on CISA's provided list) within **three months** of the directive's issuance.
3. **Device Replacement/Update:** Agencies must update all in-scope devices and replace end-of-life devices with models capable of receiving necessary security updates.
4. **Continuous Discovery Process:** Within **two years**, agencies must establish a documented process for the continuous discovery and identification of all edge devices that may become end-of-life.
### Recommended Practices
1. Practicing good cyber hygiene by proactively eliminating unsupported edge devices.
2. Collaborating with CISA for assistance if implementation help is needed.
## Affected Organizations
- Industries: Federal Government (Specifically Federal Civilian Executive Branch Agencies).
- Organization Size: Not explicitly stated, but applies organization-wide across covered agencies.
- Geographic Scope: United States Federal Agencies.
## Compliance Timeline
- **T + 3 Months:** Federal agencies must provide CISA with an inventory of all end-of-life devices on their networks.
- **T + 1 Year (12 Months):** All identified end-of-life devices must be fully decommissioned.
- **T + 2 Years:** A process must be established for the continuous discovery of end-of-life edge devices.
## Implementation Guidance
### Assessment Phase
- Utilize the CISA-provided "EOS Edge Device List" to identify devices currently end-of-service or approaching end-of-service status.
- Conduct thorough asset management and network discovery to locate all relevant hardware and software, particularly edge devices.
### Implementation Phase
- Prioritize the immediate replacement or patching of devices identified as unsupported.
- Procure and deploy devices that are actively supported and capable of receiving sustained security updates.
### Validation Phase
- CISA will track agency progress toward compliance. (Agencies should document their decommissioning and replacement actions for internal auditing and potential external verification by CISA).
## Technical Requirements
- **Scope of Devices:** Includes, but is not limited to, load balancers, firewalls, routers, switches, wireless access points, network security appliances, and Internet of Things (IoT) edge devices.
- **Security Posture:** Systems must run on hardware and software that actively receives firmware or other security patches from the vendor.
## Penalties & Enforcement
- Fines: Not explicitly detailed in the summary provided.
- Other Consequences: The directive is an *operational mandate* from CISA, implying that failure to comply subjects the agency or responsible personnel to internal oversight findings, potential loss of funding authority related to IT security, or formal administrative action by CISA.
- Enforcement: CISA stated it **will track the progress of compliance.**
## Related Standards
- **NIST Cybersecurity Framework (CSF) / SP 800 Series:** This directive strongly aligns with the **Identify** Function (Asset Management category) and the **Protect** Function (Maintenance and Vulnerability Management categories) of the NIST CSF, requiring proactive elimination of known risks.
- **CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act):** While not the basis of this directive, this action complements the broader federal movement toward higher hygiene standards enforced by CISA.
## Resources
- Official Documentation: CISA Operational Directive BOD 26-02 (Title: Mitigating Risk from End-of-Support Edge Devices). (Access via CISA news releases).
- Guidance Documents: CISA created the "EOS Edge Device List" (Note: This list is not published publicly).
- Tools: Agencies will likely need robust Network Access Control (NAC) and asset inventory management tools to satisfy the dependency on continuous discovery.
## Practical Recommendations
1. **Immediately initiate data gathering** to cross-reference current assets against the proprietary CISA End-of-Support list.
2. **Budget and procurement must be rapidly adjusted** to fund the replacement of critical, unsupported edge infrastructure within the one-year mandate.
3. **Establish a governance framework** to ensure that any new device procurement includes a verifiable End-of-Support date that extends well beyond immediate deployment to prevent recurrence.