CISA Releases: Binding Operational Directive 26-02

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released: Binding Operational Directive 26-02, which focuses on mitigating risks from end-of-support (EOS) edge devices.

A Binding Operational Directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems.

CISA urges all organizations to implement the following mitigations immediately:

🛡️ Update supported hardware edge devices running EOS software.

🛡️ Use our EOS Edge Device list to identify and inventory all devices that are EOS or will reach EOS within the next 12 months.

🛡️ Decommission EOS devices from networks and replace with vendor-supported devices that receive security updates.

🛡️ Establish a process for continuous discovery of edge devices.

Background

The United States continues to face persistent cyber campaigns that threaten both public and private sectors, directly endangering the security and privacy of the American people. A significant driver of these threats is the presence of unsupported devices operating at the edge of organizational network perimeters. These unsupported devices—referred to in this Directive as “end of support (EOS)”—are no longer maintained by their vendors and no longer receive security updates or patches.

The risk posed by EOS edge devices to federal information systems is immediate, ongoing, and severe. CISA has observed widespread exploitation campaigns by advanced threat actors targeting these devices, often using them as entry points to pivot deeper into Federal Civilian Executive Branch (FCEB) networks. Edge devices are particularly attractive targets due to their privileged access, broad network visibility, and frequent integration with identity and access management systems. Because EOS devices no longer receive vendor support or security updates, they remain vulnerable to newly discovered exploits, creating disproportionate and unacceptable risk to federal systems and property. Unlike many cyber threats, however, this risk can be effectively mitigated through disciplined lifecycle management practices, as required by this Directive.

This Binding Operational Directive (BOD), developed in coordination with the Office of Management and Budget (OMB), implements OMB policy requiring the rapid phase-out of unsupported information systems and components. BOD 26-02 specifically addresses EOS devices deployed at the edge or other public-facing areas of federal networks exposed to external environments such as the internet. While the focus is on edge devices, EOS technology should not exist anywhere on federal networks.

This Directive aligns with OMB Circular A-130, Managing Information as a Strategic Resource, which requires agencies to phase out unsupported systems as quickly as possible and to incorporate migration planning and funding into IT lifecycle management. Agencies are expected to identify hardware and software approaching EOS, plan and budget for timely replacement, procure vendor-supported alternatives, and decommission EOS devices with minimal operational disruption. Agencies that lack mature lifecycle management processes face a significantly higher risk of compromise.

To assist agencies with initial identification efforts, CISA has developed the EOS Edge Device List—a preliminary repository of devices that are already EOS or approaching EOS. Agencies are required to use this list to identify and remediate vulnerabilities within the first three months following issuance of this Directive. The Directive also establishes long-term requirements for managing EOS edge devices across all federal networks.

As agencies plan for edge device refreshes, they should consider the requirements of OMB Memorandum M-22-09, Moving the U.S. Government Toward Zero Trust Cybersecurity Principles. Key areas include multifactor authentication, asset management and identification, isolation of critical workloads through strong access policies, and encryption of data in transit. Additional guidance is available in NIST SP 800-207, CISA’s TIC 3.0 Capability Catalog, and CISA’s Zero Trust Maturity Model.

Definitions

End of Support (EOS): Hardware, firmware, or software that no longer receives timely, vendor-supported updates, including security patches, CVE remediation, hotfixes, or defect corrections.

Edge Devices: Technologies located at the boundary of an agency’s network that are accessible from the public internet. This includes, but is not limited to, firewalls, routers, switches, load balancers, wireless access points, network security appliances, IoT edge devices, software-defined networking components, and other physical or virtual devices that route traffic or provide privileged access.

Scope

This Directive applies to all devices that:

Function as edge devices operating as components of an information system owned or operated by, or on behalf of, an agency;
Are designated as EOS by their vendor or by CISA; and
Are physically or logically located at an agency’s network boundary.

The Directive applies to all FCEB information systems, whether operated directly by agencies or hosted by third parties on an agency’s behalf. While contractors are not directly subject to this Directive, agencies may need to modify contracts to ensure compliance. This Directive does not apply to Operational Technology devices or to FedRAMP-authorized cloud products and services designated as out of scope by OMB Memorandum M-24-15.

Required Actions

Immediately upon issuance and until rescinded or superseded, FCEB agencies shall:

Update EOS software or firmware on vendor-supported edge devices to supported versions where doing so does not adversely affect mission-critical operations.

Within three (3) months of issuance, agencies shall:

Inventory all devices listed in the CISA EOS Edge Device List and submit the inventory to CISA using the provided template.

Within twelve (12) months of issuance, agencies shall:

Decommission all listed EOS edge devices with EOS dates on or before this deadline and replace them with vendor-supported alternatives.
Report completed decommissions to CISA.
Inventory all edge devices that are EOS or will become EOS within the following twelve months and submit this inventory to CISA.

Within eighteen (18) months of issuance, agencies shall:

Decommission all remaining EOS edge devices within scope and report these actions to CISA.

Within twenty-four (24) months of issuance, agencies shall:

Establish continuous discovery processes for edge devices.
Maintain an inventory of devices approaching EOS within twelve months.
Decommission devices on or before their EOS dates and report actions to CISA in accordance with current guidance.

Valentines Webinar | Orchid Security

Join us Wednesday, February 18 at 12 PM ET for Securely Yours: When IAM Meets the CISO, a Valentine’s-themed webinar exploring this essential security duo.

💜 What makes this partnership work (spoiler: trust, not romance)

💜 How alignment strengthens both teams and the organization

💜 Why organizations perform best when these two move as one

This session is perfect for anyone who wants to protect their org without losing sleep, or sanity.