Overview
- Binding Operational Directive 26-02 sets deadlines to inventory end-of-support edge devices within three months, decommission those already past support within 12 months, replace all identified end-of-support gear within 18 months, and establish continuous discovery within 24 months.
- Agencies must immediately update any vendor‑supported equipment that is running end‑of‑support software when a supported version is available.
- CISA is publishing and maintaining an end‑of‑support device list to guide agencies’ inventories and replacement plans.
- The directive covers Federal Civilian Executive Branch systems, with compliance monitored alongside the Office of Management and Budget rather than enforced through fines.
- CISA urges non‑federal organizations to adopt similar lifecycle practices for edge devices such as firewalls, routers, switches, load balancers, wireless access points, IoT edge devices, and software‑defined network components.