CISA directs agencies to purge end‑of‑support devices Experts warn unsupported edge devices blur digital–physical risk and create prime entry points for attackers.
By Ken Showers
Updated 2:54 PM CST, Thu February 12, 2026
WASHINGTON — The Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding operational directive that requires federal agencies inventory, remove, and replace unsupported edge devices as the U.S. Department of Homeland Security tries to address growing threats targeting public and private infrastructure.
Titled, “Mitigating Risk From End-of-Support Edge Devices,” the directive applies to devices considered “Federal Civilian Executive Branch” systems, and to agencies operating those systems as “Federal Civilian Executive Branch” agencies. Specifically, the department hopes to target systems at the edge of an organizations perimeter, or devices no longer maintained by vendors and at the End-of-Service (EoS).
"CISA’s directive underscores a growing reality in operational technology: unsupported edge devices are not just an IT (information technology) lifecycle issue - they represent a direct risk to physical operations,” said RunSafe Security CEO Joe Saunders. “If breached, an attacker would then have access to OT (operational technology) environments, which often depend on legacy systems that were never designed with modern security in mind, yet they continue to control critical processes across infrastructure and industry. When those devices reach end-of-support, organizations are left running technology that is unmanaged, unmonitored, and frequently unpatched - creating ideal entry points for attackers.”
The directive follows an oversight hearing with the House Committee on Homeland Security in late January where lawmakers discussed the growing threats to vital public infrastructure like energy and transportation.
“This week’s Homeland Security oversight hearing highlights a reality facing critical infrastructure operators across all sectors: cybersecurity risk is no longer confined to IT environments, but increasingly tied to operational safety, availability and mission integrity,” said David Sequino, co-founder and CEO at Integrity Security Services (ISS).
Sonu Shankar, president and COO of Phosphorus, agrees. “Adversaries are no longer distinguishing between digital and physical targets as they are exploiting the seams between IT, OT, and other cyber-physical systems,” he said. “When devices fall outside visibility and control, they become pre-positioned attack infrastructure, not isolated technical debt.”
The CISA directive provides a timeline for all Federal Civilian Executive Branch (FCEB) agencies with goals - from inventorying all edge devices within three months to implementing continuous discovery and the decommission of all those devices within 24 months.
Comments