CISA tells federal agencies to replace at-risk end-of-life edge devices

News
By published

It's a reminder to remove and replace any unsupported devices

IoT Devices
(Image credit: Shutterstock) (Image credit: Shutterstock)
  • CISA has issued a binding operational directive requiring the removal of unsupported edge devices
  • They pose "disproportionate and unacceptable risks" that can be easily remediated
  • Every organization should focus on renewing hardware, not just the government

The US government's Cybersecurity and Infrastructure Security Agency (CISA) has issued a new warning to federal agencies to remove edge devices which have reached or passed end of support (EOS) over security fears.

US Government agencies have been given the next year to remove affected devices and replace them with equipment that's still covered by vendor security updates.

The push comes against a backdrop of rising cyberattacks, with threat actors honing in on vulnerable devices that no longer receive security patches.

US government told to remove unsupported devices

The body described edge devices as ones that are accessible via the public internet, like firewalls, routers, switches, wireless access points, network security appliances and IoT edge devices.

CISA said that devices past their sell-by date now pose "disproportionate and unacceptable risks" to federal systems. However, despite the risk that some agencies may be posing to the US government, CISA said it's one that "can be remediated."

"Agencies should mature their lifecycle management practices to identify hardware and software nearing their EOS dates, plan for timely replacements, procure vendor-supported alternatives, and develop a plan for decommissioning EOS devices while minimizing disruptions to agency operations," the binding operational directive (BOD 26-02) reads.

CISA also reminded agencies of Memorandum M-22-09 (Moving the US Government Toward Zero Trust Cybersecurity Principles), whereby they should adopt measures like multi-factor authentication (MFA), proper asset management, critical workload isolation and data encryption to maxmimize security.

Although CISA doesn't plan to public a list of affected devices, the body does encourage all organizations (not just federal agencies) to follow the guidance due to rising threats and easy remediation.

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Craig Hale
Craig Hale

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.