The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal civilian executive branch (FCEB) agencies to strengthen asset lifecycle management of edge network devices and remove devices that no longer receive security updates from original equipment manufacturers (OEMs) within the next 12 to 18 months.
The agency said this step is to reduce technical debt and minimize the risk of breach, as state-sponsored threat actors use such devices as a preferred access route to penetrate target networks.
Edge devices are an umbrella term that includes load balancers, firewalls, routers, switches, wireless access points, network security appliances, Internet of Things (IoT) edge devices, software-defined networks, and other physical or virtual network components that route network traffic and maintain privileged access.
“Relentless cyber attackers are increasingly exploiting unsupported edge devices, hardware and software that no longer receive vendor updates for firmware and other security patches,” CISA said. “These devices located at the network perimeter are particularly vulnerable to persistent cyber attackers exploiting new or known vulnerabilities.”
To assist FCEB agencies in this regard, CISA said it has created the End of Life Edge Devices List, which serves as a preliminary repository of information about devices that have already reached end of support or are expected to reach end of support. This list includes product name, version number, and end of support date.
The newly published binding operational directive 26-02, “Mitigating the Risks of End-of-Life Edge Devices,” requires FCEB agencies to take the following actions:
Update each vendor-supported edge device running end-of-life software to the vendor-supported software version (effective immediately) Catalog all devices to identify end-of-life devices and report them to CISA (within 3 months) Retire all edge devices that are out of support and listed on the edge device list from the agency’s network and replace them with vendor-supported devices that can receive security updates (within 12 months) Other identified edge devices Retire all devices from the reseller network and replace them with vendor-supported devices Devices that can receive security updates (within 18 months) Establish a lifecycle management process to enable continuous discovery of all edge devices and maintain an inventory of devices scheduled for end-of-life (within 24 months)
“Unsupported devices pose a serious risk to federal systems and should never be left on corporate networks,” said Madhu Gotumukkara, CISA Acting Director. “By proactively managing asset lifecycles and removing end-of-life technologies, we can collectively strengthen resilience and protect the global digital ecosystem.”
Source link
