CISA orders agencies to patch and replace end-of-life devices, citing active exploitation
CISA orders agencies to patch and replace end-of-life devices, citing active exploitation
Publish Date: 2026-02-05 14:48:00
Source Domain: www.nextgov.com
Summary of Cybersecurity Directive to Federal Agencies:
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding operational directive to federal agencies, alerting them to a significant threat posed by widespread exploitation of unsupported, internet-facing edge devices. The directive demands an extensive, phased effort to identify, remove, and replace such outdated devices within federal networks, which continue to be a prime target for nation-state adversaries. The mandate provides agencies with a structured timeline to manage this transition: three months for an inventory, a year to start removal, and 18 months to complete the process before requiring ongoing monitoring to guard against re-entering outdated systems. CISA emphasized that unsupported devices should not remain on any enterprise network, urging both governmental and private sector adoption to bolster edge device security. Although binding, CISA defers direct enforcement to the Office of Management and Budget.
Key Points:
- CISA detected widespread exploitation of unsupported, internet-facing edge devices.
- The directive aims to mitigate substantial and constant threats posed by these outdated systems.
- The directive includes a phased timeline for inventory, removal, and decommissioning of insecure devices.
- CISA stresses the importance of removing unsupported devices completely and encourages other organizations to follow suit.
- CISA partners with the Office of Management and Budget to track compliance with the directive.
