Over the next 12 to 18 months, Federal Civilian Executive Branch (FCEB) agencies have been directed by the U.S This article explores edge devices agency. . Cybersecurity and Infrastructure Security Agency (CISA) to improve asset lifecycle management for edge network devices and eliminate those that are no longer receiving security updates from original equipment manufacturers (OEMs).

Since state-sponsored threat actors use these devices as a preferred access pathway to breach target networks, the agency stated that the action is intended to reduce technical debt and reduce the risk of compromise. Load balancers, firewalls, routers, switches, wireless access points, network security appliances, Internet of Things (IoT) edge devices, software-defined networks, and other real or virtual networking components that route network traffic and grant privileged access are all included under the general term "edge devices."

"Unsupported edge devices—hardware and software that no longer receive vendor updates to firmware or other security patches—are increasingly being exploited by persistent cyber threat actors," according to CISA. "These devices are particularly susceptible to persistent cyber threat actors taking advantage of a new or known vulnerability because they are positioned at the network perimeter." According to CISA, it has created an end-of-support edge device list to help FCEB agencies with this.

This list serves as a preliminary repository for data about devices that have already reached end-of-support or are anticipated to lose support. The product name, version number, and end-of-support date will all be included in this list.

The following steps must be taken by FCEB agencies in accordance with the recently published Binding Operational Directive 26-02, Mitigating Risk From End-of-Support Edge Devices: Update to a vendor-supported software version (with immediate effect) on every vendor-supported edge device running end-of-support software. List every device to determine which ones are no longer supported and notify CISA of this within three months. Replace all end-of-support edge devices from agency networks that are on the edge device list with vendor-supported devices that are capable of receiving security updates (within a year).

Remove all additional edge devices from agency networks that have been identified and swap them out for vendor-supported devices that are capable of receiving security updates (within 18 months). Create a lifecycle management procedure to facilitate ongoing identification of every edge device and keep track of those that have reached or will reach end-of-support (in less than 24 months) "Unsupported devices should never remain on enterprise networks because they pose a serious risk to federal systems," stated Madhu Gottumukkala, Acting Director of CISA.

"We can all work together to improve resilience and safeguard the global digital ecosystem by proactively managing asset lifecycles and eliminating end-of-support technology."