The U.S. cybersecurity and Infrastructure Security Agency (CISA) has directed federal agencies to identify and remove unsupported edge network devices from their systems. The binding operational directive, issued to Federal Civilian Executive Branch (FCEB) agencies, gives them 12 to 18 months to complete the removal process. This action aims to reduce significant cybersecurity risks posed by equipment that no longer receives vital security updates from manufacturers.
Directive Details and Rationale
The directive, BOD 24-02, focuses on strengthening asset lifecycle management for devices at the network edge. These include routers, switches, firewalls, and VPN concentrators that are exposed to the public internet. CISA stated that the primary goal is to drive down technical debt and minimize the attack surface available to malicious actors. Devices that have reached their manufacturer’s end-of-life or end-of-support date are considered unsupported and must be cataloged and removed.
CISA defines unsupported products as those for which the original equipment manufacturer (OEM) no longer provides security updates, patches, or vulnerability management. Operating such devices creates a persistent and unacceptable risk, as known vulnerabilities cannot be remediated, leaving federal networks open to exploitation. The agency emphasized that this mandate is a foundational step in improving the overall cybersecurity posture of the federal government.
Implementation Timeline and Requirements
Agencies have 30 days from the directive’s issuance to begin developing an internal inventory of all edge devices. Within 120 days, they must establish a comprehensive asset management policy. The core remediation phase, the physical removal and replacement of the unsupported hardware, must be completed within the next 12 to 18 months.
Throughout this period, agencies are required to provide quarterly status reports to CISA, detailing their progress in inventory creation and device removal. The directive applies to all software and hardware edge devices directly accessible from the public internet, making internal network equipment a secondary priority for future phases.
Background and Broader Security Context
This order follows several high-profile incidents where outdated network infrastructure was exploited by state-sponsored and criminal hacking groups. CISA and other federal agencies have repeatedly warned that legacy systems constitute one of the most severe vulnerabilities in national cybersecurity defenses. The directive aligns with broader administration initiatives, such as the National Cybersecurity Strategy, which prioritizes modernizing federal IT infrastructure.
Technical debt, the concept of implied costs from using outdated technology, has been a long-standing challenge for government IT managers. Budget constraints and complex procurement processes often lead agencies to extend the life of network equipment far beyond its supported lifespan. This directive forces a systematic approach to addressing that accumulated risk.
Expected Impact and Next Steps
The mandate is expected to trigger significant procurement activity as agencies replace aging hardware with supported models. It also places new accountability on agency heads and chief information officers to maintain accurate, real-time asset inventories. While the directive currently binds only FCEB agencies, CISA often encourages similar actions for private sector and state, local, tribal, and territorial government partners.
Looking forward, agencies will focus on executing their asset management plans and meeting the strict quarterly reporting deadlines. CISA has indicated it may issue further guidance or directives targeting other classes of vulnerable infrastructure, such as internal network devices or specific software applications, as part of a continuous effort to harden federal systems against cyber threats.
Source: CISA Binding Operational Directive 24-02
