CISA gives federal agencies one year to rip out end-of-life devices

Federal civilian agencies have been ordered to remove end-of-life devices within 12 months due to widespread exploitation campaigns by sophisticated hackers.

The U.S. cyber defense agency issued an operational directive on Thursday mandating federal agencies to “remove any hardware and software devices that is no longer supported by its original equipment manufacturer.”

“Unsupported devices pose a serious risk to federal systems and should never remain on enterprise networks,” said Cybersecurity and Infrastructure Security Agency (CISA) Acting Director Madhu Gottumukkala. 

CISA said cyber threat actors are increasingly exploiting edge devices that no longer receive vendor updates to firmware or other security patches. The devices — which include load balancers, firewalls, routers, switches, wireless access points, network security appliances, internet of things (IoT) edge devices and more — are “especially vulnerable to persistent cyber threat actors exploiting a new or known vulnerability.”

CISA Executive Assistant Director for Cybersecurity Nick Andersen told reporters during a press call the attackers targeting edge devices “include those with ties to nation-states.” He declined to name which countries were involved or explain what specific incidents prompted the directive.

“This isn’t a response to any one incident or compromise, but a recognition that unsupported devices just pose such a serious risk to federal systems,” he explained.

Federal civilian agencies will have three months to provide CISA with an inventory of all devices in their networks that are on a provided list of end-of-life devices.  

After one year, all of the identified devices will have to be decommissioned and within two years, a process has to be created for continuous discovery of all edge devices that may be end-of-life.

Federal agencies are also ordered to update all devices and replace end-of-life ones with devices that can receive security updates.  

CISA created an EOS Edge Device List that contains information on devices that are already end-of-service or will be in the coming months. CISA said it would not be publishing the list of end-of-life devices publicly. 

“Practicing good cyber hygiene starts with eliminating unsupported edge devices,” Andersen said. 

CISA said it will assist any agency that needs help and will track the progress of compliance. The agency did not say what specific threat actors or incidents precipitated the directive. 

The directive makes reference to “recent public reports of campaigns targeting certain vendors” but Andersen declined to elaborate on which reports were being referenced. 

Edge devices have long been the preferred entry point for attackers seeking to break into networks and nation state actors from China and Russia have launched multiple campaigns aimed specifically at devices from companies like Barracuda, Ivanti, Fortinet and more. 

In its directive, CISA said the U.S. “faces persistent cyber campaigns” that are “often enabled by unsupported devices that physically reside on the edge of an organization’s network perimeter.” 

They added that the exploitation campaigns CISA is aware of are “substantial and constant, resulting in a significant threat to federal property.”

“Recent public reports of campaigns targeting certain vendors highlight actors’ attempts to use these devices as a means to pivot into [Federal Civilian Executive Branch Agencies] information system networks,” the federal cybersecurity watchdog said. 

“Edge devices are attractive targets due to their extensive reach into an organization’s network and integrations with identity management systems. These devices are especially vulnerable to cyber exploits targeting newly discovered, unpatched vulnerabilities.”