The Cybersecurity and Infrastructure Security Agency has introduced a new directive requiring federal civilian executive branch, or FCEB, agencies to strengthen security controls for edge devices by removing unsupported hardware and software from federal networks.
CISA’s new directive highlights the continued focus on strengthening cybersecurity across government networks. As agencies and industry stakeholders track evolving requirements and threat-driven priorities, the Potomac Officers Club’s 2026 Cyber Summit will bring together leaders from across the federal cyber community. Register now to save your seat at this May 21 event!
CISA said Thursday the directive—Binding Operational Directive 26-02, Mitigating Risk From End-of-Support Edge Devices—is intended to reduce technical debt and limit the risk of cyber compromise associated with devices that no longer receive vendor security updates.
Table of Contents
What Are the Required Actions Under the CISA Edge Device Security Directive?
CISA outlined several mandatory steps agencies must take under the directive, including updating vendor-supported edge devices running end-of-support software to a vendor-supported version and conducting an inventory of all devices to identify those that are end-of-support. Agencies must also report inventory findings to CISA.
The directive also requires agencies to remove all end-of-support edge devices from agency networks and replace them as needed with vendor-supported devices that can receive security updates. Agencies must develop a mature lifecycle management process for continuous discovery of edge devices and maintain an inventory of those that are or will become end-of-support.
What Did CISA Leadership Say About Edge Device Security?
CISA Acting Director Madhu Gottumukkala said unsupported edge devices should not remain on enterprise networks due to the risk they pose to federal systems.
“When the threat landscape demands decisive action, CISA will direct FCEB agencies to strengthen cyber resilience and build a stronger, safer digital infrastructure for America’s future. CISA strongly encourages non-federal organizations to adopt similar actions to strengthen the security of their edge devices,” added Gottumukkala.
Nick Andersen, executive assistant director for cybersecurity at CISA, said removing unsupported edge devices is a key part of maintaining cyber hygiene and reducing risk across government systems.
“Driving timely risk reduction across the federal enterprise is critical, but true impact comes when all organizations commit to the same goal. By proactively managing asset lifecycles and removing end-of-support technology, we can collectively strengthen resilience and protect the global digital ecosystem,” Andersen noted.
What Are CISA’s Recent Directives & Actions?
CISA has taken several recent actions to address urgent cyber risks across federal networks. The agency previously issued an emergency directive requiring agencies to identify and update at-risk F5 virtual and physical devices and software. CISA has also released a directive related to vulnerabilities in Cisco Adaptive Security Appliance and Firepower devices, citing exploitation concerns and required mitigation steps.
In January, CISA announced the retirement of 10 older emergency directives, noting that the required actions had been completed or incorporated into broader federal vulnerability management requirements under Binding Operational Directive 22-01.
Related Articles
Milan “Mitch” Nikolich and James Gosler, national security experts from the Johns Hopkins Applied Physics Laboratory, have joined the Department of War’s Science, Technology and Innovation Board, or STIB. APL said Thursday Nikolich will serve as the STIB’s inaugural chair and Gosler will sit on the board as a member. APL Director Dave Van Wie said Nikolich and Gosler’s expertise will support the new board’s mission to connect technical researchers and industry partners and help national leaders maintain U.S. leadership in critical technologies. What Is the DOW STIB? The STIB is a new advisory panel established by Emil Michael, under
The Department of War has issued new guidance establishing procedures for identifying, assessing and mitigating threats posed by vendors supporting U.S. military operations. According to DOW, Under Secretary of War for Acquisition and Sustainment Michael Duffey, a 2026 Wash100 awardee, approved the guidance on vendor threat mitigation, or VTM, which took effect Monday. What Is the Purpose of the Vendor Threat Mitigation Guidance? The VTM guidance establishes standardized procedures across the department to vet commercial suppliers and manage risks linked to foreign adversaries, criminal networks and extremist organizations that may exploit vendor relationships with DOW. The guidance directs DOW officials
U.S. Army Chief Information Officer Leonel Garciga has issued interim cybersecurity guidance governing the operation and network connectivity of small unmanned aircraft systems, or sUAS, across the service. The Potomac Officers Club’s 2026 Army Summit on June 18 will highlight how the Army’s transformation efforts are reshaping modernization and contracting priorities, providing industry leaders with insight into the service’s path toward its 2030 goals. Save your seat now! What Is the Purpose of the Cybersecurity Guidance? According to the memo issued Feb. 5, the policy establishes interim requirements for operating small UAS, defined as Group 1 and Group 2 systems weighing 55