The Cybersecurity Infrastructure Security Agency (CISA) this month issued a new Binding Operational Directive (BOD) – a compulsory directive to all federal agencies – with significant implications for network device vendors and the cybersecurity ecosystem at large. This BOD targets boundary network devices -- referred to as edge devices in the directive -- that are “end-of-service” or no longer being regularly updated by their respective vendors.

BOD 26-02: Mitigating Risk From End-Of-Support (EOS) Edge Devices is a broad scope directive that applies to not only all Federal Civilian Executive Branch (FCEB) agencies, but also to contracts that those agencies hold for managed network hardware and for services hosted on the agency’s behalf. The mandate has a simple set of required actions, each with a deadline that follows from the publication date of the mandate:

1. Immediately: All agencies must update EOS software and firmware to a vendor-supported version, if available. While exceptions are made for updates that would hinder mission critical functionality, this requirement continues in perpetuity.
2. Within three months: all agencies must provide CISA with a full inventory of edge devices that appear on the CISA EOS Edge Device List, a CISA curated list of high-risk EOS devices. Agencies must continue to identify and track these devices and update their inventory following CISA instructions.
3. Within 12 months: all agencies must decommission devices on the CISA EOS Edge Devices List that has gone into an EOS state February 5, 2027, or earlier, and report their decommissioning to CISA. Additionally, the agency EOS inventory must be expanded to cover all EOS devices and devices that will become EOS within 12, not just those on the CISA list.
4. Within 18 months: all agencies must decommission all identified EOS edge devices and report these decommissions.
5. Within 24 months: all agencies must establish a process for continuous discovery of EOS devices and devices that will become EOS within a 12-month window. The process must additionally result in the decommissioning of these devices before their EOS date.

Notably, these requirements do not apply to any service procured through the FedRAMP marketplace, operational technology (as defined in NIST SP 800-37), and non-civilian applications.

A Shakeup in the Network Device Market

This mandate carries heavy implications for federal agencies, network device vendors, and contracted managed service providers. The BOD places the brunt of the financial burden on agencies, who will have to make major spends over the next 24 months to replace EOS devices. Agencies with large legacy technology stacks will have to replace entire systems and infrastructures – and will be under time pressure to complete these overhauls by the CISA deadlines.

Legacy network devices fostered a specific market for devices and software that interacted and interfaced with those older technologies. As those devices are decommissioned, it will cause a seismic shift in the market as demand for legacy supporting purchases starts to wane. New markets – driven by modern APIs and automation technologies, have an opportunity to take hold at agencies where they previously had no penetration.

While agencies are bristling at the impending resource demand, others welcome the opportunity to create more secure and maintainable network boundaries.

Demand for Automation

Beyond the immediate impact on the state of network hardware across the federal government, the CISA BOD has a secondary requirement throughout that will drive further change and modernization in government systems: continuous assessment and inventory. CISA mandates that agencies must identify, track, and update/decommission ALL EOS network devices across their enterprise and continuously provide status updates to CISA.

While CISA is evaluating options for automated ingest of this information on their end, the precise mechanics of gathering and storing this data is left up to individual agencies to decide. CISA will provide an initial list of EOS edge devices as mentioned in the requirements above, which will include the product name, version number, and EOS date. Agencies will need to evaluate options for managing this real-time inventorying – and will need to lean on automation technologies that can reduce the human workload involved.

A Pattern of Procurement

BOD 26-02 is a strong statement from the federal government that they are serious about continuing to drive enhanced cybersecurity requirements at all levels of federal operations. Alongside similarly increasingly requirements in the defense sector (CMMC 2.0), the government has made it clear that they intend to protect national security interests using the procurement process.

The requirements placed on agencies flow down into their contracts, and any company providing products or services to the U.S. government will have to get on board or be left behind. Services procured through the FedRAMP Marketplace being exempted from the BOD also appears to indicate that CISA would like to see more agencies go through that process instead of a proprietary agency specific contract.

Agencies and vendors should get ready for the rapidly approach CISA deadlines – and prepare for more cybersecurity requirements and restrictions in the future.

Collaboration as a Way Forward

The Network Resilience Coalition (NRC), an industry group of network hardware vendors, purchasers, enterprise users, telecommunications infrastructure, and governments, published a whitepaper in 2024, that laid out recommendations for handling network resiliency challenges like end-of-life network components.

Providing guidance for both producers and consumers of network products, the whitepaper has served as a signpost for the industry to rally around. As CISA continues to drive regulatory and compliance activities around end of life network products, the NRC welcomes any stakeholder to join the dialogue and help lay out the future of network resiliency.

‍