America’s federal agencies have been told to hunt down and rip out aging firewalls, routers, and other network gatekeepers before attackers use them as skeleton keys into government systems.
CISA has issued a Binding Operational Directive that orders federal civilian executive branch agencies to inventory and replace “end-of-support” edge devices – hardware and software that vendors no longer patch or maintain – in a bid to close one of government IT’s most persistent intrusion paths.
The directive, published this week, requires agencies to immediately update still-supported equipment and, within three months, produce a comprehensive inventory of edge devices to identify those past vendor support deadlines. Anything that’s fallen off the vendor support cliff has to be booted off government networks and replaced with kit that still gets security fixes. Agencies have about a year to finish the hardware spring clean, and two years to put tracking in place so they don’t end up quietly running abandonware again.
CISA is acting after years of watching obsolete edge hardware morph into reliable break-in tools. Firewalls, VPN gateways, routers, and other outward-facing security gear sit right on the network’s front line, and when one is compromised, it can open a surprisingly short path to everything behind it.
When vendors stop issuing patches, newly discovered flaws remain permanently exposed, turning those devices into what CISA calls a “substantial and constant” risk to federal networks.
Acting CISA boss Madhu Gottumukkala said unsupported devices have no business staying plugged into enterprise networks, pitching the directive as part of a wider push to toughen up federal systems against the steady drumbeat of cyber campaigns targeting both government and industry.
To help agencies comply, CISA plans to publish and maintain a list of edge devices that have reached or are nearing the end of support. The directive was developed alongside the Office of Management and Budget (OMB) and effectively adds enforcement muscle to long-standing federal policy requiring agencies to phase out unsupported technologies as quickly as possible.
The directive may be labeled binding, but it doesn’t come with financial smackdowns or handcuffs. CISA monitors progress with help from OMB, banking on the fact that agencies usually treat these mandates as something closer to law than guidance.
The agency is also urging state, local, and private-sector organizations to adopt similar cleanup efforts, even though the directive formally applies only to federal civilian systems.
The order lands amid a broader recognition that attackers increasingly target infrastructure rather than endpoints, exploiting network gear that may run quietly for years without attention. The directive makes clear that swapping out old hardware is now part of the security playbook, not just a line item buried in procurement. ®