CISA BOD 26-02 and the Risk of Unsupported Edge Devices: What Security Leaders Should Take From It

CISA Binding Operational Directive 26-02, issued February 5, 2026, requires Federal Civilian Executive Branch (FCEB) agencies to inventory, decommission, and continuously monitor end-of-support (EOS) edge devices on their networks. 

If you are not a federal agency, the directive doesn't directly apply to you. But it still matters. CISA only issues binding directives when the threat is widespread and well-documented, and CISA, the FBI, and the UK's NCSC have all encouraged every organization to follow the same playbook. The reason is in the data: edge devices were the entry point for 22 percent of vulnerability-driven breaches in 2024, an eightfold jump in a single year, according to the Verizon 2025 Data Breach Investigations Report. 

Attackers do not check whether you are FCEB before targeting your VPN. Combined with CISA's new CI Fortify initiative and FedRAMP's 2026 scope guidance treating public external attack surface management as outside FedRAMP scope, the message to security leaders is clear: continuous external visibility into edge devices is now baseline hygiene, federal mandate or not.

What BOD 26-02 requires

BOD 26-02, "Mitigating Risk From End-of-Support Edge Devices," set five milestones for FCEB agencies after issuance on February 5, 2026:

1. Immediate. Update any vendor-supported edge device running EOS software to a supported version.
2. 3 months (May 5, 2026). Inventory all devices on CISA's EOS Edge Device List and report to CISA using the agency-provided template.
3. 12 months (February 5, 2027). Decommission all listed EOS devices and inventory any edge devices that are EOS or will reach EOS in the next 12 months.
4. 18 months (August 5, 2027). Complete removal of all identified EOS edge devices and replace them with vendor-supported alternatives.
5. 24 months (February 5, 2028). Establish a continuous discovery process and a mature lifecycle management program that decommissions devices on or before their EOS dates.

The directive scopes "edge devices" broadly. Per CISA, the category includes load balancers, firewalls, routers, switches, wireless access points, network security appliances, IoT edge devices, software-defined networks, and "other physical or virtual networking" devices that sit at the network boundary.

CISA's framing of why is direct. "Unsupported devices pose a serious risk to federal systems and should never remain on enterprise networks," said Acting Director Madhu Gottumukkala in the February 5, 2026 announcement.

Why CISA acted now

The directive lands on top of a year of compounding evidence that edge gear has become the attack surface attackers care about most.

The Verizon 2025 DBIR analyzed 22,052 incidents and 12,195 confirmed breaches between November 2023 and October 2024. Among breaches that started with vulnerability exploitation, 22 percent involved edge devices and VPNs, up from just 3 percent the year before. Only 54 percent of those edge vulnerabilities were fully remediated during the observation period, and the median time to remediate was 32 days. For internet-facing infrastructure with public proof-of-concept code, that is an eternity.

The Mandiant M-Trends 2025 report tells the same story from a different angle. Across 450,000 hours of incident response engagements in 2024, exploits were the most common initial infection vector at 33 percent, and the four most frequently exploited vulnerabilities were all in edge devices: Palo Alto Networks PAN-OS GlobalProtect (CVE-2024-3400), Ivanti Connect Secure VPN and Ivanti Policy Secure (CVE-2023-46805 and CVE-2024-21887), and Fortinet FortiClient Endpoint Management Server (CVE-2023-48788). Three of those four were exploited as zero-days before patches were available.

The campaigns behind the data are not theoretical. UNC5221, a suspected Chinese cyber espionage cluster, exploited the Ivanti zero-days as early as December 2023. CISA's Emergency Directive 25-03, updated in A 2026, ordered federal agencies to hunt for the FIRESTARTER backdoor on Cisco ASA and Firepower devices and permanently disconnect EOS hardware. Volt Typhoon's prepositioning campaign on US critical infrastructure, the same threat that anchors much of CISA's recent public guidance, has relied heavily on compromised edge routers as proxy infrastructure.

In short: attackers know that edge devices are lightly monitored, slow to patch, and frequently kept in service past their support dates. They have shifted accordingly.

How BOD 26-02 fits with CI Fortify

CISA's CI Fortify initiative, announced in May 2026, asks critical infrastructure operators to plan for a different scenario: a geopolitical crisis in which third-party connections, internet, telecommunications, and vendor services are unreliable, and threat actors already have some access to the operational technology network. Its two emergency planning pillars are isolation (proactively disconnecting from third-party and business networks to protect OT) and recovery (restoring compromised systems quickly while operating in isolation).

The connection to BOD 26-02 is operational. You cannot isolate cleanly from infrastructure you have not inventoried. You cannot recover quickly when EOS gear is propping up critical services and no patch path exists. BOD 26-02 is the hygiene layer that makes CI Fortify possible: know what is on your perimeter, know what is supportable, and remove the rest.

The FedRAMP signal most people missed

While BOD 26-02 was getting headlines, FedRAMP's 2026 Consolidated Rules public preview clarified something quieter but consequential for security leaders watching federal cloud policy: public attack surface management services that only review publicly available internet services, use no privileged or internal access, and are not supplied with non-public information about an agency's internet services fall outside the scope of FedRAMP.

The reasoning in the FedRAMP guidance is straightforward: If a service is scanning external internet-accessible addresses, the data it collects is effectively public, and it is not storing sensitive federal information.

For private-sector security leaders, the practical signal is broader than the federal context. FedRAMP is treating external visibility as a capability that should not be slowed by procurement friction. That is a vote of confidence in the EASM model itself, and it lines up with what the Verizon and Mandiant data has been arguing for two years.

What private-sector security leaders should take away

While you are not subject to BOD 26-02 if you are not an FCEB agency,  the directive is the clearest signal yet that the federal government considers unsupported edge devices a top-tier risk, and the threat actors driving that conclusion are the same ones targeting private-sector networks. The Verizon DBIR data, the Mandiant M-Trends findings, and the campaigns behind directives like ED 25-03 are not federal-only phenomena. They are the threat landscape every security team is operating in.

When CISA, FBI, and NCSC jointly publish a fact sheet urging non-federal organizations to follow the directive's guidance, the practical translation is straightforward: treat BOD 26-02 as a benchmark. Boards, auditors, and cyber insurers are going to start asking whether your edge device program looks like what the federal government just mandated. Getting ahead of that conversation is cheaper than catching up to it.

Five takeaways worth operationalizing now:

1. Inventory every internet-facing edge device. This is the BOD 26-02 starting point and the part most organizations get wrong. Multiple inventories from CMDBs, cloud accounts, and network team spreadsheets rarely agree, and the deltas are usually exposed.
2. Track EOS dates as a first-class asset attribute. Vulnerability data and lifecycle data have to live together. A patched device with no remaining support runway is a future incident waiting for a calendar date.
3. Cross-reference exposed devices against the CISA KEV catalog. The DBIR found that nearly one in three edge KEVs remain fully unremediated, the highest non-remediation rate among tracked vulnerabilities. That is where the breaches are.
4. Remove or segment any management interface that does not need to be on the public internet. This is the spirit of BOD 23-02, and it remains one of the highest-leverage hardening steps available.
5. Build continuous discovery, not point-in-time inventories. BOD 26-02's 24-month requirement is for a mature, continuous discovery process. Point-in-time scans are stale the moment they finish. Continuous monitoring of your attack surface is the only model that keeps pace with how quickly internet-facing infrastructure changes.

Where EASM fits

The hardest part of BOD 26-02 for most organizations isn't the decommissioning. It's the inventory. And this is where the gap between federal and private-sector security operations is smaller than people assume. 

Federal agencies have CMDBs that drift, acquisitions that bring in undocumented infrastructure, and regional offices running gear nobody has touched in years. So does every mid-market and enterprise organization. Edge devices get deployed by network teams, inherited through M&A, exposed by cloud misconfigurations, or stood up by business units that never made it into the asset register. A CMDB built from agent-based telemetry is not going to find the firewall sitting at a regional office that was last touched in 2019, regardless of whether you report to a CISO or to OMB.

External attack surface management closes that gap from the outside. By scanning the way an attacker would, EASM identifies exposed firewalls, VPN gateways, and other edge infrastructure regardless of whether they appear in any internal inventory. Pair that with continuous vulnerability scanning and KEV-aware prioritization and you have the operational pattern BOD 26-02 is asking federal agencies to build, applied to the same threat landscape every security team is defending against.

That is the model Halo Security delivers. Continuous discovery, auto-configured vulnerability scanning across assets, KEV-prioritized findings, and expert remediation guidance, in one platform. It is the next generation of external vulnerability management, built for the security teams that need to know what is on their perimeter today, not last quarter.

See your edge devices the way attackers do

BOD 26-02 codifies what every security team should already be doing: continuous discovery and lifecycle management of every device on the perimeter. If you are not sure how many edge devices are exposed in your environment right now, or which of them are no longer supported, that is the gap to close first.

Get a demo of Halo Security and see your full external attack surface, including unsupported edge devices, in one view.

FAQ