Sequenxa Intelligence Agency

CISA BOD 26-02: 12 Months to Rip Out End of Life Devices

February 10, 2026
CISA BOD 26-02: 12 Months to Rip Out End of Life Devices
CISA BOD 26-02 mandates 12 months to remove unsupported edge devices. Get the detailed compliance checklist, timelines, and nation-state exploit risks.
Category:Blog

What Is CISA's Binding Operational Directive 26-02?


The Cybersecurity and Infrastructure Security Agency has issued Binding Operational Directive 26-02 (BOD 26-02), establishing a 12-month operational window for federal civilian agencies to identify and remove unsupported edge devices from their networks (CISA, 2026).


Why? Because nation-state actors have developed persistent exploitation patterns targeting CISA end-of-support edge devices across federal infrastructure. The operational intelligence is unambiguous.


CISA BOD 26-02 represents a data-driven response to a pattern of federal legacy network devices cybersecurity exposure that sophisticated adversaries have systematically catalogued and weaponized.


Why CISA Orders to Replace Unsupported Edge Devices


Persistent Exploitation Campaigns


The operational reality demands integrated visibility.


According to CISA Executive Assistant Director for Cybersecurity, adversaries with nation-state capabilities have established persistent targeting methodologies against the unsupported edge devices security risk embedded within federal network architectures. The pattern analysis reveals coordinated, resourced operations.


We've seen this pattern repeatedly. These aren't opportunistic actors. These are adversaries with operational continuity, technical infrastructure, and strategic patience.


What Makes End-of-Life Edge Devices So Dangerous?



Unremediable vulnerabilities. Manufacturers have terminated support lifecycles for these systems. Zero-day discoveries compound into permanent exposure. Vulnerabilities cannot be patched, they can only be catalogued by adversaries and integrated into exploitation frameworks.


Network topology positioning. Edge devices occupy critical perimeter positions within the enterprise ontology. They interface with internal networks, identity management systems, and sensitive data flows. Compromise at the edge establishes lateral movement capability across the entire operational environment.


Federal technical debt. Budgetary constraints across multiple fiscal cycles have created infrastructure persistence beyond rational operational lifecycles. Adversaries maintain comprehensive databases of deployed systems, vendor distributions, and version-level detail across federal agency networks.


Incomplete asset ontology. Defense requires complete data integration. Most agencies lack comprehensive edge device inventory visibility, creating asymmetric information advantages for adversaries who maintain superior intelligence on the actual deployed infrastructure.


Nation-State Actors Are Already Here


CISA references "persistent cyber campaigns" and "recent public reports of campaigns targeting certain vendors" (CISA, 2025). The language indicates classified intelligence supporting the directive.


Chinese and Russian advanced persistent threat groups have executed multiple campaigns specifically targeting end-of-support firewall replacement scenarios and legacy edge infrastructure from vendors including Barracuda, Ivanti, Fortinet, Cisco, and Juniper Networks (Mandiant, 2024).


These operations exhibit characteristics CISA describes as "substantial and constant, resulting in a significant threat to federal property." They demonstrate operational sophistication, persistence, and demonstrated effectiveness.


What indicators would convince you that an unsupported edge device is already being used as a pivot point into internal identity or management networks?


BOD 26-02 Requirements:


BOD 26-02 Summary: What Federal Agencies Must Do


Your BOD 26-02 compliance checklist establishes three operational timelines:


Within 3 Months:


Provide CISA with complete inventory of all devices matching the CISA EOS Edge Device List


Identify all end-of-life network device inventory across your enterprise


Document current federal edge device lifecycle management processes (or lack thereof)


Within 12 Months:


Decommission all identified end-of-support devices


Execute your end-of-life device replacement plan


Complete emergency replacement unsupported firewall installations for critical infrastructure


Within 24 Months:


Establish continuous discovery processes for edge devices approaching end-of-life


Implement automated federal edge device modernization workflows


Deploy monitoring that actually tells you what's running on your network


How to Comply with CISA BOD 26-02?


Complete visibility precedes operational compliance.


Step 1: Establish Comprehensive Asset Intelligence


To identify end-of-life devices on network infrastructure requires acknowledging incomplete data integration. You cannot satisfy BOD 26-02 requirements without comprehensive infrastructure visibility.


Traditional asset management assumes known device ontologies. But edge infrastructure accumulates across operational timeframes, organizational changes, contractor deployments, and decentralized technology decisions. The platform requirements include:


Agentless device detection across distributed network architectures


Cross-referenced manufacturer end-of-support dates against deployed infrastructure


Differentiation between EOL vs EOS edge devices (End-of-Life vs End-of-Support, both represent operational risk)


Dependency mapping to prevent service disruption during replacement operations


Step 2: Prioritize Based on Integrated Risk Intelligence


Not all end-of-support devices present equivalent threat vectors. Operational triage requires:


Internet-facing exposure - Devices with public internet accessibility undergo continuous adversarial reconnaissance.


Active exploitation indicators - Monitoring systems detecting reconnaissance patterns or anomalous traffic targeting specific edge devices reveal active adversary interest.


Critical system integration - Assets interfacing with identity management, classified networks, or sensitive data flows.


Compensating controls - Network segmentation, behavioral monitoring, or detection capabilities providing temporal risk mitigation.


Step 3: Maintain Operational Intelligence During Replacement


Government rip and replace legacy devices programs operate across extended timelines. During procurement and implementation cycles, you require monitoring infrastructure that reveals whether end-of-life devices are experiencing active exploitation, what lateral movement patterns emerge from compromised edge infrastructure, and whether network segmentation effectively contains threat actor movement.


Budget Integration:


Emergency procurement for devices showing active exploitation


Multi-year modernization budgets for systematic replacement


Monitoring infrastructure that doesn't blind you during the transition



Technical Architecture:


Alignment with zero trust edge device requirements


Migration to cloud-managed devices where it makes sense


Automated patch management for everything you deploy


Behavioral monitoring that works regardless of device age



Operational Continuity:


Phased replacement schedules with continuous threat detection


Parallel operation during transitions with visibility into both old and new infrastructure


Actual testing before you decommission the old stuff


Step 4: Integrated Threat Detection


The BOD 26-02 implementation guide emphasizes ongoing lifecycle management, but you also need continuous threat detection. Automated alerts when devices approach end-of-support dates. Real-time monitoring for exploitation attempts. Behavioral analysis that detects anomalous activity. Integration between lifecycle management and threat detection, when a device falls out of support, monitoring should automatically increase.


What Devices Does BOD 26-02 Cover?


CISA End-of-Support Edge Devices Categories


The directive applies to hardware and software "no longer supported by its original equipment manufacturer," (CISA, 2025) specifically:


Network Infrastructure:


Routers and switches


Firewalls and network security appliances


Load balancers


Wireless access points


VPN concentrators



Edge Computing:


Internet of Things (IoT) edge devices


Remote access gateways


Branch office security appliances


Unified threat management systems


CISA maintains the EOS Edge Device List as a controlled dataset (operational security considerations prevent public distribution), but agencies receive access to this continuously updated inventory.


EOL vs EOS Edge Devices: What's the Difference?


End-of-Life (EOL): Manufacturer discontinued the product entirely. No support available under any circumstances.


End-of-Support (EOS): Manufacturer still sells the product but stopped providing
security updates for older versions.


Both fall under CISA BOD 26-02 requirements because from a security perspective, unsupported is unsupported.


End-of-Life Software Security Risks


While edge hardware gets the attention, the directive also covers end-of-life software security risks and unsupported software cybersecurity risk. Many edge devices run embedded operating systems that reach end-of-support independently of the hardware lifecycle.


Using unsupported operating systems risks include:


Unpatched zero-days that will never be fixed


Incompatibility with modern security tools


End-of-life systems compliance requirements violations


Inability to integrate with SIEM, threat intelligence, or monitoring platforms


When conducting your BOD 26-02 compliance assessment, you need to evaluate both hardware AND end-of-support software cybersecurity status. That firewall might be physically fine, but if it's running firmware the vendor stopped supporting in 2019, it's still a problem.


Frequently Asked Questions


How often does CISA update the EOS Edge Device List?


Expect quarterly updates as manufacturers announce end-of-support dates and new threat intel emerges about exploited devices.


Does BOD 26-02 apply to cloud-managed edge devices?


Yes. If the underlying device firmware or management software reaches end-of-support, it's covered.


Can agencies request deadline extensions?


The directive allows agencies to work with CISA on implementation challenges, but the core timelines are mandatory. Start your identify end-of-support edge devices process and engage CISA early if you hit roadblocks.


How is this different from normal vulnerability management?


Standard vulnerability management assumes vulnerabilities can be patched. CISA orders federal agencies to replace unsupported edge devices because these systems cannot be patched. The only remediation is replacement or decommissioning.


What Does It Mean?


Visibility establishes the operational foundation. You cannot inventory assets outside your data integration framework. Traditional CMDBs and scheduled scans fail to capture the edge devices adversaries actively exploit. Threat monitoring is not optional.


Adversaries maintain active targeting. Nation-state actors from China and Russia have established persistent campaigns against unsupported edge devices security risk across federal infrastructure. They operate on their timeline, not yours.


EOL and EOS represent identical risk profiles. End-of-Life and End-of-Support devices present the same operational vulnerability. Both fall under CISA BOD 26-02 requirements. Both require continuous monitoring until replacement.


Software lifecycle independence. Don't overlook end-of-life software security risks. Embedded operating systems and firmware reach end-of-support through independent lifecycle trajectories from hardware.


Prioritize through threat intelligence, not chronological age. Identify which devices adversaries are actively targeting, then prioritize those for emergency replacement.


This requires institutional process, not project execution. Federal edge device lifecycle management demands continuous discovery, automated alerts, and integrated threat detection. Build sustainable operational processes or face cyclical crisis response.


Three non-negotiable timelines: 3 months to establish complete inventory. 12 months to decommission identified systems. 24 months to implement continuous processes.


Firmware EOS blindsides hardware-focused audits every time. Reach out if embedded OS gaps blew up your initial sweep, we'll cross-reference against agency-wide surprise rates and unpatched software risks hitting compliance.


You'll dodge emergency replacement chaos, we'll refine lifecycle management blindspots. Integrated intelligence reveals what siloed analysis misses.


References


Cybersecurity and Infrastructure Security Agency (CISA). (2025). Binding Operational Directive 26-02: Remove Unsupported Edge Devices. Retrieved from https://www.cisa.gov/directives


Mandiant. (2024). APT Trends Report: Edge Device Exploitation Campaigns. Retrieved from https://www.mandiant.com


Sherrie Ann Pasahol
Written by
Sherrie Ann Pasahol

Sherrie Ann is a security intelligence writer at Sequenxa, a private security intelligence company focused on reducing crime through sophisticated intelligence operations. Over the past year, she has covered emerging threats, criminal trends, and investigative case outcomes for executives and security leaders. At the core of her work is a commitment to turning intelligence into impact, making the world a safer, more informed place.

More Briefings

How location analysis supports missing persons investigations

How location analysis supports missing persons investigations

In 2024, the FBI processed over 533,000 missing person reports. More than 93,000 remained active by year's end. Location analysis takes fragmented cell phone data, GPS records, financial transactions, and digital traces and turns them into a coherent picture of where someone went, when they went there, and what the pattern means for finding them.

Read More
How geospatial intelligence supports field assessment and operational awareness

How geospatial intelligence supports field assessment and operational awareness

Most organizations think of geospatial intelligence as a government capability. The version that matters is operational — the ability to turn spatial data into a decision before someone gets on a plane. This article breaks down how satellite imagery analysis, geospatial correlation, and remote sensing feed into field assessment, corporate investigations, and operational planning.

Read More
What is a threat assessment and why most organizations get it wrong

What is a threat assessment and why most organizations get it wrong

Most organizations hear 'threat assessment' and think of a checklist someone fills out after an incident. That is not a threat assessment. That is paperwork masquerading as prevention. Here's what the process actually looks like, why behavioral analysis is the foundation, and how early warning systems change outcomes when they're built correctly.

Read More
What Red Team Services Actually Test

What Red Team Services Actually Test

Most organizations think they know what a red team does. They picture hackers running exploits against firewalls. That mental model is wrong. Red team services don't test whether your systems have vulnerabilities. They test whether your organization, the people, the processes, the monitoring, would notice and respond to a real attack before the damage is done.

Read More