CISA Directs Federal Agencies to Update Edge Devices

Binding Directive Requires Inventories and Replacements Jennifer Lawinski • February 5, 2026

U.S. federal agencies have 12 months to start replacing risky network appliances running past their vendor support cutoff date under a directive published Thursday by the U.S. Cybersecurity and Infrastructure Security Agency.

See Also: On-Demand | NYDFS MFA Compliance: Real-World Solutions for Financial Institutions

The cybersecurity agency targeted out-of-date firewalls, routers, switches, IoT edge devices, VPNs and network gateways that sit on the perimeters of agency networks in Binding Operational Directive 26-02.

Network appliances have become a recurring motif in recent nation-state and advanced criminal hacking campaigns as threat actors discovered they typically lack antimalware or other endpoint detection and response capabilities, are opaque to system administrators and can themselves suffer from sloppily-built internals.

The directive comes on the heels of a surge in attacks against internet-facing edge devices, which attackers increasingly exploit soon after vulnerabilities are disclosed ...