Federal Networks Face Rising Risk From Unsupported Edge Devices

Key Takeaways

• Unsupported Edge Devices Under Scrutiny: CISA has issued a binding directive requiring federal civilian agencies to identify and remove edge devices that no longer receive vendor security updates.
• Perimeter Systems Seen as High-Risk Targets: Devices at the network edge, including firewalls, routers, and IoT components, are increasingly exploited by threat actors once they reach end-of-support.
• Lifecycle Management Becomes Mandatory: Agencies must establish continuous asset discovery and lifecycle management processes to prevent unsupported technology from remaining on networks.
• Inventory and Reporting Required: Federal agencies are required to inventory all edge devices, report end-of-support systems to CISA, and either upgrade or remove them within set timelines.
• Signal Beyond Government Networks: While binding only on federal agencies, CISA is urging private sector and critical infrastructure organizations to adopt similar practices to reduce systemic risk.

Deep Dive

The Cybersecurity and Infrastructure Security Agency has ordered federal civilian agencies to take a hard look at the devices sitting at the edge of their networks, and to remove any that can no longer be supported, as part of a broader push to reduce exposure to cyberattacks.

In a new Binding Operational Directive released Wednesday, CISA said Federal Civilian Executive Branch (FCEB) agencies must strengthen how they manage the full lifecycle of edge devices and eliminate hardware and software that no longer receive security updates from vendors. The move targets a persistent and growing weakness across enterprise networks: unsupported systems that remain operational long after vendors have stopped patching them.

Edge devices (including firewalls, routers, load balancers, switches, and other network-facing components) sit at the perimeter of government networks. That position makes them especially attractive targets for threat actors, particularly when vulnerabilities can no longer be remediated through routine updates.

From Technical Debt to Real-World Risk

CISA said unsupported edge devices are increasingly being exploited as entry points, allowing attackers to establish long-term access to sensitive systems. The directive frames the issue as both a cybersecurity and a governance problem, pointing to technical debt and weak asset lifecycle management as underlying causes.

Under the order, agencies must inventory their edge devices, identify those that have reached end-of-support, and report their findings to CISA. Devices running unsupported software must be upgraded to vendor-supported versions where possible, while hardware that can no longer be maintained must be removed from agency networks and replaced.

Agencies are also required to put more durable processes in place, not just one-time cleanups, including continuous discovery of edge devices and forward-looking tracking of systems approaching end-of-support.

A Message From CISA Leadership

“Unsupported devices pose a serious risk to federal systems and should never remain on enterprise networks,” said Madhu Gottumukkala, CISA’s Acting Director. She said the directive reflects the need for decisive action as threat actors continue to probe the federal attack surface for overlooked weaknesses.

Nick Andersen, CISA’s Executive Assistant Director for Cybersecurity, emphasized that removing unsupported technology is a basic but often delayed step toward resilience. He said meaningful risk reduction depends on organizations actively managing asset lifecycles rather than reacting after vulnerabilities are exploited.

Both officials stressed that while the directive applies to federal civilian agencies, the underlying risks are not unique to government systems.

Oversight, Compliance, and a Broader Signal

CISA said it will monitor agency compliance with the directive, assess progress, and provide implementation support where needed. The agency positioned the order as part of its broader effort to use its statutory authorities to drive faster risk reduction across the federal enterprise.

Although non-federal organizations are not bound by the directive, CISA encouraged private sector and critical infrastructure operators to adopt similar practices, warning that unsupported edge devices remain a common and dangerous blind spot.

The directive arrives as many organizations, public and private alike, grapple with sprawling infrastructure, aging network equipment, and delayed refresh cycles. For federal agencies, unsupported technology at the network edge is no longer a tolerable risk, and clearing it out is now a matter of policy, not preference.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.