CISA orders federal agencies to inventory, patch and phase out unsupported edge devices

🇺🇸United States

GovernmentCybersecurityInformation Technology

Thu, Feb 5, 2026

The Cybersecurity and Infrastructure Security Agency has directed federal civilian agencies to confront a persistent risk: aging edge devices exposed to the internet that no longer receive vendor security fixes. CISA says sophisticated adversaries are actively abusing these unsupported devices, creating an ongoing danger to systems that hold sensitive government data and support public services. Rather than issuing guidance alone, the agency issued a binding operational order that compels agencies to act on a firm timetable designed to drive inventorying, remediation and replacement. The schedule gives three months to locate unsupported edge hardware, a year to begin removing such equipment and 18 months to complete elimination, after which agencies must maintain continuous detection to prevent reintroduction of outdated systems. Where vendors still support a device, agencies are expected to upgrade to supported software immediately if doing so won’t break mission-essential functions. CISA framed the timeline to allow fiscal planning and to accommodate heterogeneous technology environments across agencies, while stressing that many fixes will require procurement and phased investments. The agency emphasized coordination with the Office of Management and Budget to track compliance rather than applying fines, signaling a governance and oversight approach rather than punitive enforcement. Officials warned that some exploitations appear linked to actors aligned with nation-state interests, underscoring the strategic consequences of leaving legacy gear online. The move follows earlier international collaboration on edge device guidance, but the new directive converts recommendations into mandatory federal action. For nonfederal organizations, CISA advised adopting similar measures to reduce exposure, arguing that leaving unsupported devices on enterprise networks is an unacceptable risk. The directive reframes legacy edge hardware from a maintenance problem into a national cybersecurity priority, and it forces agencies to budget, inventory and modernize in a compressed but practical timeline. The policy will likely accelerate procurement cycles for secure replacements, increase demand for managed network security services, and sharpen audit and asset-management practices across government technology stacks.

PREMIUM ANALYSIS

Read Our Expert Analysis

Create an account or login for free to unlock our expert analysis and key takeaways for this development.

By continuing, you agree to receive marketing communications and our weekly newsletter. You can opt-out at any time.

Free Access

No Payment Needed

Join Thousands of Readers

Recommended for you

Cybersecurity

Cisco SD‑WAN Compromised; CISA and Five Eyes Order Emergency Hunts

CISA and Five Eyes partners warned of active exploitation against Cisco SD‑WAN, flagging two tracked CVEs and urging immediate hunts, log preservation, and patching. The alert joins a string of rapid, high‑impact exploit events (Fortinet, SolarWinds and other KEV additions), compressing remediation windows and forcing both near‑term incident response and longer‑term edge‑device inventory and replacement planning.

Cybersecurity

Critical SolarWinds Web Help Desk Flaw Exploited; CISA Orders Rapid Patching

A critical unauthenticated remote code execution bug in SolarWinds Web Help Desk (WHD) rooted in AjaxProxy deserialization is being exploited in the wild and was added to CISA’s Known Exploited Vulnerabilities list, triggering compressed federal remediation deadlines. The listing arrived alongside other high-priority KEV additions this patch cycle, reinforcing that administrative consoles and legacy proxy components are high-risk and require immediate patching and network controls.

Cybersecurity

Microsoft Intune: CISA Orders Immediate Hardening After Stryker Breach

CISA directed organizations to tighten configurations for Microsoft Intune after a disruptive incident hit Stryker on March 11; the advisory elevates endpoint-management security to an immediate compliance and operational priority. Vendor telemetry points to harvested administrative credentials and management-plane misuse, while public claims of widescale destructive wiping and actor attribution remain contested.

Cybersecurity

U.S. Information‑Sharing Under Strain: Law Sunset, Budget Cuts and Operational Drag Threaten Timely Threat Intelligence

A key 2015 information‑sharing statute has lapsed pending reauthorization, and CISA faces a near $500 million reduction in resources, undermining the speed and fidelity of threat intelligence between government and industry. Recent high‑velocity exploits, supply‑chain disclosures and regulatory penalties show why near‑real‑time, context‑rich sharing is increasingly critical — and increasingly brittle without legal clarity and processing capacity.

Cybersecurity

CISA Adds Five Bugs to KEV; Two Linux Flaws Draw Immediate Attention

CISA added five actively exploited vulnerabilities to its Known Exploited Vulnerabilities list, including two Linux issues and a Microsoft Office zero-day; agencies must remediate by Feb. 16, 2026 for the Office bug while operators should urgently inventory exposed Telnet services and apply available fixes or mitigations. Rapid in-the-wild activity—dozens of probes against a high-severity GNU Inetutils telnet authentication bypass—heightens the urgency for immediate patching, network controls, and telemetry-based detection.

Policy & Geopolitics

Patch Rush, Penalties and Power Plays: This Week’s Cybersecurity Events

A fast-exploited Fortinet flaw and an agentic-AI vulnerability in ServiceNow forced urgent remediation, while telecoms, a university, and a logistics provider faced data and security crises that drew enforcement and public scrutiny. National agencies issued OT and zero-trust guidance and investors poured $136M into defense-focused software, highlighting shifting incentives toward resilience and regulatory accountability.

Cybersecurity

White House Revokes Prior Software Security Mandates, Shifts Risk Authority to Agencies

The Office of Management and Budget issued memorandum M-26-05, rescinding earlier centralized software security directives and returning responsibility for software and hardware security policy to individual agency leaders. The guidance encourages agency-specific, risk-based controls and expands attention to hardware supply chain risks while making previous attestations and component inventories optional rather than mandatory.

Policy & Geopolitics

DHS Repurposes Federal Agencies to Expand ICE Enforcement

The administration redirected broad federal capacity into immigration enforcement — roughly $80B routed to the department portfolio and about $45B directed to ICE — while OMB and agency guidance rewrote grant and program rules to condition funding, compel data-sharing and push PHAs to re-verify residents. Complementary disclosures show parallel expansions in ICE’s physical footprint (150+ leased sites), a rapid 287(g) enrollment (about 1,412 active agreements), and an enforcement tempo tied to roughly 4,000 recent detentions and some 18,000 habeas filings, producing mounting legal, procurement and security risks.