CISA issued Emergency Directive 26-01 on October 15, 2025, following the discovery of a nation-state breach involving F5 BIG-IP source code and vulnerabilities. Federal agencies must take immediate action to inventory, patch, and secure affected devices before key October and December deadlines. This post outlines what the directive requires and how Forward Enterprise helps organizations meet those requirements through network visibility, automation, and compliance verification.
Who should read this post
- Security and Network Operations teams managing F5 Networks BIG-IP hardware or virtual appliances
- Network engineers responsible for external-facing application delivery infrastructure
- Risk and compliance professionals working in public-sector or enterprise environments subject to federal advisories
What is covered in this post
- Summary of CISA Emergency Directive 26-01 and its significance
- Key actions required by the directive (and associated deadlines)
- How Forward Networks helps agencies and enterprises meet each requirement
- Practical next steps for your organization
CISA’s Directive: The Core Requirements
On October 15, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 26-01 in response to a nation-state actor’s exfiltration of F5 BIG-IP source code and vulnerability data.
The directive instructs impacted federal agencies to immediately inventory, patch, and secure all affected F5 devices.
Key Actions and Deadlines
| Requirement | Description | Deadline |
| Harden Public-Facing Devices | Identify and secure management interfaces accessible from the Internet | October 22, 2025 |
| Complete Inventory | Identify all BIG-IP systems (hardware, virtual, container, etc.) across both Internet-facing and internal networks | October 29, 2025 |
| Deploy Security Updates | Apply vendor patches / mitigations to all affected devices | October 31, 2025 |
| Submit Detailed Inventory Report | Provide full device inventory and remediation verification to CISA | December 3, 2025 |
| Disconnect EoS Devices | Immediately decommission any public-facing end-of-support systems | Immediate Action Required |
The urgency of these directives reflects a high risk of credential theft, lateral movement, data exfiltration, and full system compromise.
Identifying Impacted F5 BIG-IP Devices
Manual spreadsheets and siloed tooling make it difficult and time-consuming to discover every BIG-IP instance—especially across hybrid cloud or multi-vendor environments.
With Forward Enterprise’s digital twin, you can:
- Automatically discover all devices running BIG-IP (hardware, VE, Next, container) across your network estate.
- Filter by vendor, OS version, role, and Internet exposure to isolate vulnerable systems.
- Tag Internet-facing appliances and highlight those with exposed management interfaces or modules requiring immediate action.
Using Forward to Validate Configurations and Accelerate Remediation
Once devices are identified, the next step is verifying whether they are at risk, patched, or appropriately segmented.
Forward Enterprise enables this through:
- Network Query Engine (NQE): Run policy-as-code queries across your entire estate to detect risk indicators (e.g., publicly exposed interfaces, unsupported software versions, missing patches).
- Attack-Surface Analysis: Visualize flows and reachability to quickly determine whether Internet-facing BIG-IP devices allow risky paths into core systems.
- Automated Reporting: Export inventories and remediation evidence in formats ready for CISA submission or internal tracking.
In short, you can move from awareness to action — faster and with greater confidence.
Why Agencies and Enterprises Choose Forward
- Zero-risk, read-only discovery that never changes device configurations or interrupts operations.
- Vendor-agnostic digital twin covering 30 + vendors and 900 + OS versions to eliminate tool sprawl.
- Scalable to 50,000 + devices per instance, suitable for large federal or global environments.
- Automation and NQE queries that replace manual spreadsheets and CLI audits with repeatable workflows.
- Audit-ready evidence and reporting that prove compliance and streamline incident response.
What You Should Do Right Now
- Assess whether any BIG-IP devices (hardware, virtual, container) exist in your environment.
- Determine exposure: Identify which are Internet-facing and whether they run affected versions or modules.
- Run NQE queries in Forward to flag unsupported or end-of-life devices, exposed ports, and missing patches.
- Remediate and isolate impacted devices by October 31 per the directive timeline.
- Document and report your findings to stakeholders and CISA by the October 29 and December 3 deadlines.
- Monitor continuously: Treat verification and compliance tracking as an ongoing process to reduce future risk.
Moving Forward with Confidence
CISA’s Emergency Directive 26-01 underscores how quickly federal agencies must respond to emerging nation-state threats.
With Forward Networks’ digital twin and compliance-ready workflows, your team can act decisively—ensuring your F5 BIG-IP estate is inventoried, hardened, and verifiably compliant by every CISA deadline.
