CISA orders agencies to patch and replace end-of-life devices, citing active exploitation

The Cybersecurity and Infrastructure Security Agency said Thursday it detected widespread exploitation of unsupported, internet-facing devices by advanced hackers and ordered federal agencies to begin a monthslong process of removing and replacing that outdated equipment.

The binding operational directive focuses on edge devices, many of which remain in service long after software vendors stop issuing security updates, increasing the risk of exploitation.

“The imminent threat of exploitation to agency information systems running EOS edge devices is substantial and constant, resulting in a significant threat to federal property. CISA is aware of widespread exploitation campaigns by advanced threat actors targeting EOS edge devices,” the directive says.

On a call with reporters, Nick Andersen, executive assistant director for cybersecurity at CISA, said that some of the hackers have ties to nation state adversaries. 

“We’re encouraging other organizations to follow our lead and adopt similar actions to strengthen the security of their edge devices. Put simply, unsupported devices should never remain on enterprise networks,” he said. The directive isn’t a response to any one compromise, he added, though he declined to name specific incidents that motivated the directive’s issuance.

Legacy systems are a repeated, common avenue that government agencies continue to struggle to secure, making them attractive targets for advanced threat actors once security updates lapse. At any point in time, hackers may be targeting federal computer networks, which frequently house sensitive data tied to government operations, public services and national functions.

The directive gives agencies three months to identify unsupported edge devices, a year to begin removing them and 18 months to eliminate them entirely, before requiring continuous monitoring to prevent outdated systems from returning to federal networks.

Agencies must immediately update any vendor-supported edge devices running end-of-support software to supported versions, where doing so does not disrupt mission-critical operations.

The month-by-month deadlines are meant to “allow time for organizations to do a thorough inventory,” added Andersen. The agency does not plan to make the list publicly available, and Andersen said that some agencies and organizations could have different tech stacks that don’t map cleanly to the federal-focused list.

“In many cases, this may require investing in new devices,’ he said. “So we’re encouraging all organizations to implement this guidance in the directive as soon as possible. But you know, providing for a 12-month timeline, in particular for the decommission item ... that gives us an opportunity as well to look at this across multiple fiscal years [and] across our federal government partners.”

A year ago, the cyberdefense agency issued similar guidance on edge device security with international partners signed on.

Although binding operational directives carry mandatory requirements for federal civilian agencies, CISA does not directly enforce them through fines or penalties and instead works with the Office of Management and Budget to track compliance with the orders.