By The United States faces persistent cyber campaigns that threaten both public and private sectors, directly impacting the security and privacy of the American people. These campaigns are often enabled by unsupported devices that physically reside on the edge of an organization’s network perimeter. Unsupported devices – referred to in this Directive as “end of support (EOS)” – are those that are no longer maintained by their vendors.
The imminent threat of exploitation to agency information systems running EOS edge devices is substantial and constant, resulting in a significant threat to federal property. CISA is aware of widespread exploitation campaigns by advanced threat actors targeting EOS edge devices. Recent public reports of campaigns targeting certain vendors highlight actors’ attempts to use these devices as a means to pivot into FCEB information system networks. Edge devices are attractive targets due to their extensive reach into an organization’s network and integrations with identity management systems. These devices are especially vulnerable to cyber exploits targeting newly discovered, unpatched vulnerabilities. Additionally, they no longer receive supported updates from the original equipment manufacturer, exposing federal systems to disproportionate and unacceptable risks. However, unlike many attack vectors, this can be remediated by agencies following proven lifecycle management practices as outlined in the required actions of this Directive.
This Binding Operational Directive, developed in coordination with OMB, implements OMB policy on phasing out unsupported information systems and information system components. BOD 26-02 specifically addresses EOS devices deployed on the “edge” or public-facing areas of federal networks, exposed to external environments such as the internet. However, EOS devices should not reside anywhere on federal networks. This Directive aligns with OMB’s Circular A-1301, Managing Information as a Strategic Resource, which establishes policy for the management of federal information resources, emphasizing security, privacy, and the efficient use of resources throughout their lifecycle. A-130 requires that “unsupported information systems and system components are phased out as rapidly as possible, and planning and budgeting activities for all IT systems and services incorporate migration planning and resourcing to accomplish this requirement.”2 Agencies should mature their lifecycle management practices to identify hardware and software nearing their EOS dates, plan for timely replacements, procure vendor-supported alternatives, and develop a plan for decommissioning EOS devices while minimizing disruptions to agency operations. Agencies that do not maintain appropriate lifecycle management processes for edge devices have a greater risk of compromise and an increased overall risk associated with EOS technology.
To support agencies in the initial identification of EOS devices, CISA developed an EOS Edge Device List. This preliminary repository provides information on devices that are already EOS or soon-to-be EOS. This Directive requires federal agencies to use this information to identify and remediate vulnerabilities within the first three months of Directive issuance. This Directive also specifies long-term requirements for managing EOS edge devices across all federal networks.
Review the directive from CISA.
Source: CISA
Stay in the know with breaking news from across the IC and IC contracting landscape by becoming a paid subscriber to IC News. Your support makes our work possible.
