The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently issued a new round of mandatory cybersecurity directives, requiring all federal civilian agencies to comprehensively investigate and remove edge network equipment and software that have ceased vendor support, including outdated routers, firewalls, VPN gateways, and switches. Regulatory authorities emphasized that such "end-of-life" edge devices have become one of the main entrances for state-level hackers to penetrate government networks and must be remediated within a limited time.

The document, titled "Binding Operational Directive 26-02," was jointly issued by CISA and the White House Office of Management and Budget. It aims to address a prominent long-standing weakness in the federal IT system: outdated, unpatched network perimeter infrastructure. CISA notes that in many attacks, adversaries do not rely on stolen credentials or phishing emails, but first look for older routers and firewalls that have not been updated in years and are no longer maintained to gain a foothold into government networks.

Under the new directive, federal agencies are required to immediately update devices that are still within the manufacturer's support cycle, and must replace any devices that have ended support within 12 months. Within 3 months of the effective date of the directive, agencies must complete an exhaustive inventory of all edge devices and indicate which ones have exceeded their manufacturer support period. In the following year, relevant agencies need to retire these "end-of-service" equipment step by step and develop replacement plans simultaneously to prevent the new batch of equipment from entering the out-of-warranty state again in the short term.

The directive further sets an 18-month deadline by which time all unsupported devices must be completely removed from federal government networks. In order to prevent "resurgence", the document also requires agencies to establish a continuous tracking mechanism to ensure that obsolete equipment after cleaning will not be quietly reconnected to the network environment.

Madhu Gottumukkala, acting director of CISA, said the move was both "overdue" and "inevitable." For years, CISA has been monitoring how attackers are exploiting network devices that no longer receive security updates to breach government systems that already have modern endpoint protections in place. Nick Andersen, executive assistant director for cybersecurity at CISA, also pointed out that both state-sponsored hacker organizations and profit-seeking attack groups are increasingly targeting such old equipment and exploiting vulnerabilities in out-of-date firmware to intrude. Once successful, they can move laterally across the network, steal data, or interfere with critical business operations.

The Known Exploited Vulnerabilities directory maintained by CISA has documented multiple attacks related to discontinued network equipment, including a vulnerability related to discontinued D-Link routers disclosed in December. The agency also cited a nation-state attack in 2025 attributed to China that extensively used older network equipment to conduct cyber espionage.

While the directive is mandatory for federal civilian agencies, it does not impose direct financial or legal penalties. CISA and the Office of Management and Budget will apply pressure through progress tracking and public reporting of performance, but in practice, agencies will often execute such "bundled operational directives" as high-priority security tasks.

To support implementation efforts, CISA has established an internal "End of Service Edge Device List" of device models commonly found in federal environments that are approaching or beyond their manufacturer's support life. For security reasons, this list will not be made public to avoid providing targeting clues to potential attackers. For agencies outside the federal administrative system—including state and local governments and private companies—CISA recommends that they proactively communicate with equipment manufacturers to understand the support cycles and risk status of the equipment they use.