CISA orders federal agencies to inventory, patch and phase out unsupported edge devices

The Cybersecurity and Infrastructure Security Agency has directed federal civilian agencies to confront a persistent risk: aging edge devices exposed to the internet that no longer receive vendor security fixes. CISA says sophisticated adversaries are actively abusing these unsupported devices, creating an ongoing danger to systems that hold sensitive government data and support public services. Rather than issuing guidance alone, the agency issued a binding operational order that compels agencies to act on a firm timetable designed to drive inventorying, remediation and replacement. The schedule gives three months to locate unsupported edge hardware, a year to begin removing such equipment and 18 months to complete elimination, after which agencies must maintain continuous detection to prevent reintroduction of outdated systems. Where vendors still support a device, agencies are expected to upgrade to supported software immediately if doing so won’t break mission-essential functions. CISA framed the timeline to allow fiscal planning and to accommodate heterogeneous technology environments across agencies, while stressing that many fixes will require procurement and phased investments. The agency emphasized coordination with the Office of Management and Budget to track compliance rather than applying fines, signaling a governance and oversight approach rather than punitive enforcement. Officials warned that some exploitations appear linked to actors aligned with nation-state interests, underscoring the strategic consequences of leaving legacy gear online. The move follows earlier international collaboration on edge device guidance, but the new directive converts recommendations into mandatory federal action. For nonfederal organizations, CISA advised adopting similar measures to reduce exposure, arguing that leaving unsupported devices on enterprise networks is an unacceptable risk. The directive reframes legacy edge hardware from a maintenance problem into a national cybersecurity priority, and it forces agencies to budget, inventory and modernize in a compressed but practical timeline. The policy will likely accelerate procurement cycles for secure replacements, increase demand for managed network security services, and sharpen audit and asset-management practices across government technology stacks.