CISA orders federal agencies to rip out EOL edge kit before cybercrooks move in
(2026/02/06)
- Reference: 1770383903
- News link: https://www.theregister.co.uk/2026/02/06/cisa_eol_edge_order/
- Source link:
America's federal agencies have been told to hunt down and rip out aging firewalls, routers, and other network gatekeepers before attackers use them as skeleton keys into government systems.
CISA [1]has issued a Binding Operational Directive that orders federal civilian executive branch agencies to inventory and replace "end-of-support" edge devices – hardware and software that vendors no longer patch or maintain – in a bid to close one of government IT's most persistent intrusion paths.
The directive, published this week, requires agencies to immediately update still-supported equipment and, within three months, produce a comprehensive inventory of edge devices to identify those past vendor support deadlines. Anything that's fallen off the vendor support cliff has to be booted off government networks and replaced with kit that still gets security fixes. Agencies have about a year to finish the hardware spring clean, and two years to put tracking in place so they don't end up quietly running abandonware again.
[2]
CISA is acting after years of watching obsolete edge hardware morph into reliable break-in tools. Firewalls, VPN gateways, routers, and other outward-facing security gear sit right on the network's front line, and when one is compromised, it can open a surprisingly short path to everything behind it.
[3]
[4]
When vendors stop issuing patches, newly discovered flaws remain permanently exposed, turning those devices into what CISA calls a "substantial and constant" risk to federal networks.
[5]AWS intruder achieved admin access in under 10 minutes thanks to AI assist, researchers say
[6]Microsoft's 'atypical' emergency Windows patches are becoming awfully typical
[7]9 in 10 Exchange servers in Germany still running out-of-support software
[8]Ex-CISA head thinks AI might fix code so fast we won't need security teams
Acting CISA boss Madhu Gottumukkala said unsupported devices have no business staying plugged into enterprise networks, pitching the directive as part of a wider push to toughen up federal systems against the steady drumbeat of cyber campaigns targeting both government and industry.
To help agencies comply, CISA plans to publish and maintain a list of edge devices that have reached or are nearing the end of support. The directive was developed alongside the Office of Management and Budget (OMB) and effectively adds enforcement muscle to long-standing federal policy requiring agencies to phase out unsupported technologies as quickly as possible.
The directive may be labeled binding, but it doesn't come with financial smackdowns or handcuffs. CISA monitors progress with help from OMB, banking on the fact that agencies usually treat these mandates as something closer to law than guidance.
[9]
The agency is also urging state, local, and private-sector organizations to adopt similar cleanup efforts, even though the directive formally applies only to federal civilian systems.
The order lands amid a broader recognition that attackers increasingly target infrastructure rather than endpoints, exploiting network gear that may run quietly for years without attention. The directive makes clear that swapping out old hardware is now part of the security playbook, not just a line item buried in procurement. ®
Get our [10]Tech Resources
[1] https://www.cisa.gov/news-events/directives/bod-26-02-mitigating-risk-end-support-edge-devices
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/networks&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aYYeNhk8N3exCOs62g_sIwAAAMg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/networks&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aYYeNhk8N3exCOs62g_sIwAAAMg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/networks&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aYYeNhk8N3exCOs62g_sIwAAAMg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2026/02/04/aws_cloud_breakin_ai_assist/
[6] https://www.theregister.com/2026/02/02/microsoft_quality_control/
[7] https://www.theregister.com/2025/10/29/germany_exchange_support/
[8] https://www.theregister.com/2025/10/27/jen_easterly_ai_cybersecurity/
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/networks&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aYYeNhk8N3exCOs62g_sIwAAAMg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[10] https://whitepapers.theregister.com/
CISA [1]has issued a Binding Operational Directive that orders federal civilian executive branch agencies to inventory and replace "end-of-support" edge devices – hardware and software that vendors no longer patch or maintain – in a bid to close one of government IT's most persistent intrusion paths.
The directive, published this week, requires agencies to immediately update still-supported equipment and, within three months, produce a comprehensive inventory of edge devices to identify those past vendor support deadlines. Anything that's fallen off the vendor support cliff has to be booted off government networks and replaced with kit that still gets security fixes. Agencies have about a year to finish the hardware spring clean, and two years to put tracking in place so they don't end up quietly running abandonware again.
[2]
CISA is acting after years of watching obsolete edge hardware morph into reliable break-in tools. Firewalls, VPN gateways, routers, and other outward-facing security gear sit right on the network's front line, and when one is compromised, it can open a surprisingly short path to everything behind it.
[3]
[4]
When vendors stop issuing patches, newly discovered flaws remain permanently exposed, turning those devices into what CISA calls a "substantial and constant" risk to federal networks.
[5]AWS intruder achieved admin access in under 10 minutes thanks to AI assist, researchers say
[6]Microsoft's 'atypical' emergency Windows patches are becoming awfully typical
[7]9 in 10 Exchange servers in Germany still running out-of-support software
[8]Ex-CISA head thinks AI might fix code so fast we won't need security teams
Acting CISA boss Madhu Gottumukkala said unsupported devices have no business staying plugged into enterprise networks, pitching the directive as part of a wider push to toughen up federal systems against the steady drumbeat of cyber campaigns targeting both government and industry.
To help agencies comply, CISA plans to publish and maintain a list of edge devices that have reached or are nearing the end of support. The directive was developed alongside the Office of Management and Budget (OMB) and effectively adds enforcement muscle to long-standing federal policy requiring agencies to phase out unsupported technologies as quickly as possible.
The directive may be labeled binding, but it doesn't come with financial smackdowns or handcuffs. CISA monitors progress with help from OMB, banking on the fact that agencies usually treat these mandates as something closer to law than guidance.
[9]
The agency is also urging state, local, and private-sector organizations to adopt similar cleanup efforts, even though the directive formally applies only to federal civilian systems.
The order lands amid a broader recognition that attackers increasingly target infrastructure rather than endpoints, exploiting network gear that may run quietly for years without attention. The directive makes clear that swapping out old hardware is now part of the security playbook, not just a line item buried in procurement. ®
Get our [10]Tech Resources
[1] https://www.cisa.gov/news-events/directives/bod-26-02-mitigating-risk-end-support-edge-devices
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/networks&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aYYeNhk8N3exCOs62g_sIwAAAMg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/networks&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aYYeNhk8N3exCOs62g_sIwAAAMg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/networks&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aYYeNhk8N3exCOs62g_sIwAAAMg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2026/02/04/aws_cloud_breakin_ai_assist/
[6] https://www.theregister.com/2026/02/02/microsoft_quality_control/
[7] https://www.theregister.com/2025/10/29/germany_exchange_support/
[8] https://www.theregister.com/2025/10/27/jen_easterly_ai_cybersecurity/
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/networks&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aYYeNhk8N3exCOs62g_sIwAAAMg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[10] https://whitepapers.theregister.com/
Wrong approach
This is the US government we're talking about.
They have the clout to order tech companies to continue support, both for their own gear and for other perfectly functional equipment that's been dropped for planned obsolescence reasons. There are laws already in place (like the defense production act) that would enable it.
Instead they're enabling and encouraging bad corporate behavior.