CISA issued Binding Operational Directive 26-02 on February 5, 2026, requiring Federal Civilian Executive Branch (FCEB) agencies to eliminate unsupported edge devices from their networks. These end-of-support (EOS) devices no longer receive vendor security updates and are actively exploited by nation-state threat actors as entry points into federal networks. Federal agencies must now take immediate action to inventory, update, and ultimately replace these vulnerable devices across strict timelines. This post outlines what the directive requires and how network visibility platforms can address the operational challenges of meeting these requirements.
Who should read this post
- Security and Network Operations teams managing edge infrastructure including routers, firewalls, load balancers, and VPN gateways
- Network engineers responsible for maintaining network perimeter devices across hybrid and multi-vendor environments
- Risk and compliance professionals working in public-sector or enterprise environments subject to federal security directives
What is covered in this post
- Summary of CISA Binding Operational Directive 26-02 and its significance
- Key actions required by the directive (and associated deadlines)
- Technical approaches to address inventory, risk assessment, and remediation challenges
- Practical next steps for your organization
CISA's Directive: The Core Requirements
On February 5, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive 26-02 in response to widespread exploitation campaigns by advanced threat actors targeting end-of-support edge devices across federal networks.
The directive instructs federal agencies to immediately eliminate unsupported edge devices that no longer receive timely security updates from manufacturers, including patches for CVEs, security updates, and software fixes.
Key Actions and Deadlines
| Requirement | Description | Deadline |
| Update Vendor-Supported Devices | Immediately update edge devices running end-of-support software to vendor-supported versions (where updates don't impact mission-critical functionality) | Immediate Action Required |
| Complete Device Inventory | Inventory all end-of-support edge devices using CISA's EOS Edge Device List and report findings to CISA | May 5, 2026 (3 months) |
| Begin Device Removal | Start removing devices that have reached their end-of-support dates from agency networks | February 5, 2027 (12 months) |
| Complete Device Removal | Remove all end-of-support edge devices from agency networks and replace with vendor-supported alternatives | August 5, 2027 (18 months) |
| Establish Lifecycle Management | Implement continuous discovery processes and maintain inventories of devices approaching end-of-support status | February 5, 2028 (24 months) |
The directive reflects the substantial and constant threat posed by unsupported devices that sit exposed at network boundaries, providing threat actors with pivot points into identity systems and internal networks.
Understanding End-of-Support Edge Devices
Edge devices are critical infrastructure components that reside on the boundary of an organization's network and are accessible from the public internet. These include:
- Load balancers
- Firewalls
- Routers and switches
- VPN gateways and concentrators
- Wireless access points
- Network security appliances
- IoT edge devices
- Software-defined networking components
A device becomes end-of-support (EOS) when its manufacturer no longer provides timely, supported updates including security patches, CVE fixes, hotfixes, and defect corrections. CISA has observed nation-state actors actively exploiting EOS devices from vendors including Cisco, Fortinet, Palo Alto Networks, Ivanti, and Juniper as entry points into critical infrastructure.
Addressing the Inventory Challenge
Manual tracking of device lifecycles across diverse, multi-vendor environments is time-consuming and error-prone—especially when dealing with thousands of edge devices across on-premises, cloud, and hybrid deployments. The core challenge is maintaining accurate, real-time visibility into:
- Device discovery and classification — Identifying all edge devices across your estate, including routers, firewalls, load balancers, VPN gateways, and switches from multiple vendors
- Version tracking — Correlating running software versions against vendor end-of-support announcements
- Internet exposure assessment — Determining which devices are publicly accessible and pose the highest risk
- Lifecycle planning — Tracking device age and support timelines to proactively plan replacements before devices reach EOS status
Network digital twin technology addresses these challenges by creating a comprehensive, vendor-agnostic model of your infrastructure. This enables automated discovery across 30+ vendors and 900+ OS versions, with filtering capabilities by vendor, model, OS version, and support status to quickly isolate vulnerable devices.
Validating Risk and Prioritizing Remediation
Once EOS devices are identified, the operational challenge shifts to risk assessment and remediation planning. Organizations need to answer critical questions:
- Which EOS devices have direct Internet exposure?
- What vulnerabilities exist on these devices, and are they in CISA's Known Exploited Vulnerabilities catalog?
- What network paths exist from compromised edge devices to critical internal systems?
- Which devices can be updated versus which require replacement?
Automated policy-as-code queries enable continuous validation across your infrastructure:
- Detect devices running unsupported software versions against known vendor EOS dates
- Identify edge devices with Internet-exposed management interfaces (SSH, HTTPS, SNMP)
- Cross-reference device vulnerabilities against CISA KEV catalog entries
- Flag devices approaching their end-of-support dates for proactive planning
Attack surface analysis provides visibility into the blast radius of a potential compromise. By modeling network flows and reachability, you can understand which EOS devices provide direct pathways to identity infrastructure, domain controllers, or sensitive data stores. This allows for risk-based prioritization: devices with high exposure and high criticality move to the top of the remediation queue.
Continuous monitoring transforms compliance from a point-in-time exercise into an ongoing security posture. Automated alerts trigger when new devices are added to your network or when existing devices approach end-of-support status, preventing the accumulation of technical debt.
Key Capabilities for BOD 26-02 Compliance
Meeting BOD 26-02 requirements demands specific technical capabilities:
- Read-only network discovery that builds complete infrastructure models without modifying configurations or risking operational disruption
- Multi-vendor support to handle heterogeneous environments without maintaining separate tools for each vendor platform
- Scale to handle enterprise and federal agency environments with tens of thousands of devices
- Automated verification through policy-as-code that replaces manual CLI audits and spreadsheet tracking
- Evidence generation for audit trails, CISA reporting, and stakeholder communication
What You Should Do Right Now
- Assess your current state: Identify all edge devices in your environment and determine which are running end-of-support software or hardware.
- Prioritize Internet-facing devices: Focus first on devices accessible from the public internet, as these pose the highest risk for initial compromise.
- Implement automated discovery and queries to:
- Flag all EOS devices across your network
- Identify devices with exposed management interfaces
- Map dependencies and network flows to assess blast radius
- Track devices approaching end-of-support dates
- Develop a remediation roadmap:
- Immediately update devices where vendor-supported software is available
- Plan replacements for devices that cannot be updated
- Establish timelines aligned with BOD 26-02 deadlines
- Document and report: Prepare inventory findings and remediation plans for CISA reporting by May 5, 2026.
- Implement lifecycle management: Establish continuous monitoring and inventory processes to prevent future EOS device accumulation.
Moving Forward with Confidence
CISA's Binding Operational Directive 26-02 underscores the critical importance of proactive lifecycle management for edge infrastructure. Unsupported devices represent disproportionate and avoidable risk—one that nation-state threat actors are actively exploiting.
The key to successful compliance is treating this as an operational transformation, not a compliance checkbox. Organizations need:
- Continuous visibility into device inventory and support status
- Automated detection of configuration drift and policy violations
- Risk-based prioritization that focuses resources on the highest-impact threats
- Proactive lifecycle management that prevents EOS devices from accumulating in the first place
By implementing network digital twin technology and automated policy verification, teams can move from reactive, manual compliance efforts to proactive security posture management. The goal isn't just meeting BOD 26-02 deadlines—it's building resilient infrastructure that can withstand modern threat actors and adapt to evolving security requirements.
Organizations that invest in these capabilities now will be better positioned not just for this directive, but for the inevitable future directives and security challenges ahead.
