TL;DR: When attackers probe government systems, they often begin not with stolen credentials or phishing emails but with aging routers and firewalls left running long past their expiration dates. Those neglected edge devices have become a top federal concern, and US agencies are now being told to remove them before attackers take advantage.
CISA has ordered all civilian federal agencies to identify and remove "end-of-support" hardware and software that vendors no longer patch or maintain. The new directive, known as Binding Operational Directive 26-02, is part of an aggressive overhaul aimed at closing one of the most persistent security gaps in federal IT: obsolete edge infrastructure.
Issued in coordination with the Office of Management and Budget, the order sets strict deadlines for the discovery, remediation, and retirement of aging devices on the perimeters of federal networks. These include routers, VPN gateways, firewalls, and switches – systems that regulate incoming and outgoing traffic but can also serve as quiet launchpads for cyber intrusions when left unpatched.
Under the directive, agencies must immediately update any still-supported devices and replace unsupported ones within 12 months. Within three months, every agency must produce an inventory cataloging all edge equipment and identifying which devices have passed their vendor support dates. Over the following year, affected agencies must decommission end-of-service gear while planning replacements before the next wave of systems reaches expiration.
Within 18 months, every unsupported device must be purged from government networks. The rule also requires agencies to put continuous tracking in place, ensuring outdated devices aren't quietly reintroduced after the initial cleanup.
CISA's acting director, Madhu Gottumukkala, framed the move as both overdue and essential. The agency has observed for years how attackers exploit unsupported devices to breach networks that otherwise have modern endpoint controls in place.
CISA's Executive Assistant Director for Cybersecurity, Nick Andersen, said state-backed and financially motivated actors alike have increasingly targeted these devices, taking advantage of firmware flaws that remain unpatched once vendor support ends. Once exploited, attackers can move laterally, steal data, or disrupt mission-critical operations.
CISA's Known Exploited Vulnerabilities catalog has documented several cases of discontinued network gear being used as attack vectors, including a bug tied to unsupported D-Link routers last December. The agency also cited a 2025 campaign attributed to Chinese state-linked actors that leveraged aging network equipment in espionage operations.
While the directive is mandatory for federal civilian agencies, it doesn't carry direct financial or legal penalties for noncompliance. Instead, CISA and the Office of Management and Budget will track progress and publicly report performance. In practice, agencies tend to treat Binding Operational Directives as high-priority mandates given their security implications.
To support implementation, CISA has developed an internal "End-of-Support Edge Device List" cataloging models commonly deployed in federal environments that are approaching or past their vendor-supported lifespans.
The list won't be released to the public, as it could expose potential targets if mishandled. Agencies outside the federal executive branch – including state, local, and private entities – are encouraged to consult vendors directly about their own device support cycles.
CISA is ordering US federal agencies to remove outdated routers and firewalls
