New CISA guidance provides guardrails for end-of-support

A new directive from the federal government’s top cybersecurity agency aims to lessen the danger presented by end-of-support edge devices—something that would close the gap for hardware security.

The Cybersecurity and Infrastructure Security Agency (CISA) issued a Binding Operational Directive to reduce the risk from edge devices that have overstayed their security welcome but may still be in use.

CISA’s guidance directs federal agencies and departments to inventory and decommission said devices, allowing government IT desks to do so on a rolling basis before replacing them. The 24-month plan features benchmarks that the agency hopes will change how the federal government manages IT hardware.

Part of a plan. In a comment included with a February press release announcing the guidance, CISA Executive Assistant Director for Cybersecurity Nick Andersen said that the agency sees the change as part of an overall commitment to cybersecurity hygiene.

“Driving timely risk reduction across the federal enterprise is critical, but true impact comes when all organizations commit to the same goal,” Andersen said. “By proactively managing asset lifecycles and removing end-of-support technology, we can collectively strengthen resilience and protect the global digital ecosystem.”

Scott Montgomery, VP of federal at enterprise platformer Island, told IT Brew that the problem with end-of-support is that safety and security are often eschewed in favor of availability; breaches and negative outcomes are often the result of taking a path of least cybersecurity awareness. It’s a choice.

“The reason you run into these problems with these network and edge devices is, ‘If it ain’t broke, don’t fix it,’” Montgomery said.

Threat detected. The potential danger of edge devices is self-evident, Joe Saunders, CEO of RunSafe Security, told IT Brew in an email. Device interconnectedness presents a high level of cybersecurity risk for physical operations.

“If breached, an attacker would then have access to OT environments, which often depend on legacy systems that were never designed with modern security in mind, yet they continue to control critical processes across infrastructure and industry,” Saunders wrote. “When those devices reach end-of-support, organizations are left running technology that is unmanaged, unmonitored, and frequently unpatched—creating ideal entry points for attackers.”

While the changes are targeted at the public sector, the guidance has a role for the private sector. CISA announcements are meant to signal an overall change in security; relentless focus on availability, especially in the context of the cloud, can lead to a radical expansion of the threat surface.

Push it. For federal agencies like DoD, as an example, mission-first is going to take precedence over concerns about CISA guidance, Montgomery said. That might mean getting a waiver rather than addressing the root cause—kicking the can down the road.

“Now, are they compounding their mission problem because of these devices not being patched or supported by the vendor?” Montgomery asked. “Yeah, sure, but that’s a tomorrow problem.”