In early February 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) formally issued Binding Operational Directive 26-02 (BOD 26-02): Mitigating Risk From End-of-Support Edge Devices — a decisive move to tighten cybersecurity across federal civilian networks by forcing agencies to identify, inventory, and replace outdated network equipment that no longer receives updates from its manufacturers.

The directive comes amid rising concerns that cyber threat actors — including sophisticated nation-state groups — are actively scanning for and exploiting end-of-support (EOS) devices positioned at the “edge” of networks, such as firewalls, routers, switches, VPN gateways, and other internet-facing hardware. These devices, if left unsupported, no longer receive security patches for newly discovered vulnerabilities — a risk CISA calls disproportionate and unacceptable for systems that protect sensitive federal data and operations.

Why Edge Devices Matter

Edge devices sit at the critical boundary between an organization’s internal network and the public internet. Because they often serve as the first point of contact for incoming traffic and facilitate key routing functions, vulnerabilities in these systems can become attack vectors for hackers seeking network access. Unsupported edge devices are particularly attractive to adversaries, as they contain unpatched vulnerabilities that may be trivial to exploit.

The accompanying fact sheet released jointly by CISA, the Federal Bureau of Investigation (FBI), and the U.K.’s National Cyber Security Centre (NCSC) highlights how nation-state actors use EOS devices to gain persistent access, move laterally into modern networks, and ultimately exfiltrate or disrupt sensitive systems and data.

What the Directive Requires

BOD 26-02 lays out a timeline for federal civilian agencies to wrest control of this growing security gap:

• Immediately: Agencies must update vendor-supported devices that have reached EOS status — where doing so does not break critical operations.
• Within 3 months: Agencies must inventory all edge devices that are on the EOS Edge Device List developed by CISA and report these inventories back to the agency.
• Within 12 months: Devices already past support must be decommissioned and replaced with supported alternatives that receive ongoing security updates.
• Within 18 months: All other identified EOS edge devices must be removed from federal networks.
• Within 24 months: Agencies must put in place a continuous discovery and lifecycle management process to ensure devices nearing EOS are identified long before they become a vulnerability.

Beyond these deadlines, agencies are expected to maintain robust asset inventories and lifecycle processes to avoid future cybersecurity blind spots.

A Broader Call to Cyber Defenders

Although BOD 26-02 legally binds only Federal Civilian Executive Branch (FCEB) agencies, the fact sheet and related guidance explicitly encourage all public and private sector organizations to adopt similar practices. Unsupported edge devices do not exclusively threaten federal systems; they present risks everywhere they exist, particularly in critical infrastructure, municipal networks, and enterprise environments.

The guidance from CISA, FBI, and NCSC advises organizations to adopt defensive actions beyond compliance timelines — including continuous network scanning for undocumented legacy devices, automated patching where possible, and proactive replacement of outdated systems.

What This Means for Cybersecurity Culture

At its core, BOD 26-02 underscores a shift in how cybersecurity is managed at scale: from reactive patching and ad-hoc responses to structured asset lifecycle management. Historically, devices such as routers and switches have remained in production long after vendors ceased updating them, a simple convenience that has become a liability as cyber threats grow in sophistication.

By mandating timelines and actionable steps for decommissioning outdated network gear, the U.S. government aims not only to defend its own systems but also to set a precedent for cybersecurity best practices industrywide. For organizations looking to build resilient and sustainable security programs, the message is clear: unsupported technology is no longer acceptable — and unmanaged edge devices are a high-risk entry point that must be addressed before attackers exploit them.