Citizen Portal
Sign In

CISA orders federal agencies to retire end‑of‑life edge devices; FBI urges industry to adopt similar steps

FBI Cyber Division (Ahead of the Threat podcast) · February 25, 2026

Get AI-powered insights, summaries, and transcripts

Subscribe
AI-Generated Content: All content on this page was generated by AI to highlight key points from the meeting. For complete details and context, we recommend watching the full video. so we can fix them.

Summary

CISA’s Binding Operational Directive 26‑02 requires federal civilian agencies to inventory and remove end‑of‑life routers, VPN appliances and other edge devices; FBI officials urged industry to mirror the directive’s inventory and retirement steps and prioritize known‑exploited vulnerabilities.

On Feb. 5 the Cybersecurity and Infrastructure Security Agency issued Binding Operational Directive 26‑02, directing U.S. federal civilian agencies to identify and remove end‑of‑life edge devices from agency networks. Brett Leatherman of the FBI said the agency signed the directive’s fact sheet and is promoting the guidance to industry partners.

"Having an end of life device on the edge of your network is almost like putting a key to your house under the doormat," Mike Machtinger said, describing why legacy routers, firewalls and VPN appliances are high‑value attack vectors. He and Leatherman urged organizations to inventory devices, apply compensating controls while planning retirement, and automate tracking of device lifecycles.

The directive gives agencies discrete timelines: a short identification window, decommissioning of already unsupported devices within months and replacement within a longer timeframe. The speakers said the timelines (identify, retire, replace) and the CISA Known Exploited Vulnerabilities (KEV) catalog should guide prioritization: externally facing devices and CVEs with high CVSS scores deserve immediate attention.

John Hammond of Huntress, speaking in the episode’s interview, reinforced those recommendations from the provider perspective, saying defenders repeatedly find legacy devices still connected and unpatched. "That visibility has always kinda been the biggest thing that we need to, okay, bring to that organization and say, hey, this is still out there," Hammond said.

Why it matters: legacy edge devices that no longer receive vendor updates are persistent, high‑impact entry points for both criminal groups and nation‑state actors. The speakers argued that following CISA’s process reduces the attack surface and helps protect both federal and private networks.

What organizations can do now: build an asset and application inventory, prioritize externally facing and high‑severity items (KEV entries), implement compensating controls until devices are retired, and assign ownership and timelines for remediation or replacement.