78/69 Monday, February 9, 2026
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued Binding Operational Directive 26-02, instructing Federal Civilian Executive Branch (FCEB) agencies to strengthen the management of edge network devices. Agencies are required to identify and replace devices that have reached end-of-support status within 12 to 18 months to reduce cybersecurity risks, as these devices operate at the network perimeter and no longer receive security patches from vendors.
Under the directive, agencies must develop a comprehensive inventory of all edge devices, including firewalls, routers, switches, load balancers, wireless access points, IoT edge devices, and SDN components. They are required to report unsupported assets, upgrade or procure supported replacements, and remove end-of-support hardware and software from their networks within the specified timeframe. The directive also emphasizes improving asset lifecycle management processes to ensure continuous visibility into device status.
CISA’s Acting Director stated that unsupported devices pose a significant risk and should not remain in organizational networks. The measure aims to reduce technical debt and enhance the cyber resilience of national infrastructure. CISA will closely monitor compliance and encourages private-sector organizations to adopt similar end-of-support retirement practices to strengthen overall cyber hygiene.
