CISA BOD 26-02 (BOD 26-02), also known as Binding Operational Directive 26-02, Mitigating Risk From End-of-Support Edge Devices, is a directive issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on February 5, 2026.
This directive requires federal agencies to inventory all devices on the CISA EOS Edge Device List and report that inventory to CISA within 90 days of issuance, with longer-term requirements for decommissioning and lifecycle governance.
BOD 26-02 specifically addresses end of support (EOS) devices deployed on the ‘edge’ or public-facing areas of federal networks (e.g., anywhere on federal networks), exposed to external environments such as the internet. It implements a policy to phase out unsupported information systems and information system components.
What is an Edge Device?
An edge device is any hardware that acts as an entry point and pivot point for lateral movement into networks, processing data at or near its source. Examples include industrial controllers, smart cameras, IoT sensors, routers, switches, gateways, smartwatches, and medical instruments. Situated at the boundary between the physical world and digital networks, edge devices gather, filter, and analyze data locally.
Why do EOS Edge Devices Pose a Security Risk?
An EOS edge device (firewall, router, VPN, IoT) no longer receives security patches or firmware updates, leaving known vulnerabilities permanently exposed to exploitation. Attackers have easy, well-defined attack paths and can target these devices to gain initial access, move laterally into internal networks, and exfiltrate sensitive data, as they often sit at the network boundary with high-level privileges.
What is the Implementation Timeline?
Federal agencies are on a timeline to identify and remediate edge device vulnerabilities. The phases are:
- February 2026: Apply vendor-supported updates to edge devices, provided such an update does not adversely impact mission critical functionality.
- By May 2026: Inventory and report all edge devices listed on the CISA’s EOS list using the CISA-provided template.
- By February 2027:
- Decommission devices that have reached EOS.
- Report decommissions to CISA using the CISA-provided template
- Inventory all edge devices within their environments that are EOS or will become EOS within 12 months that are within the scope of this directive.
- By August 2027:
- Decommission and replace remaining EOS edge devices with vendor-supported equipment that can receive current security updates.
- Report decommissions to CISA using the CISA-provided template
- By February 2028:
- Define a process for continuous discovery of all edge devices and maintain an inventory of those that are or will become EOS within their environments.
- Having decommissioned devices on or before EOS dates, report decommissions to CISA using the CISA-provided template.
As agencies plan for their technical edge device refreshes, it’s important that they keep in mind requirements of Office of Management and Budget (OMB) Memorandum M-22-09, Moving the U.S. Government Toward Zero Trust Cybersecurity Principles. That memorandum directs agencies to take important actions related to:
- Information sharing between agencies at varying maturity levels in their zero trust implementation.
- Cloud and hybrid implementations that include feature-rich, zero-trust-ready solutions.
- Alignment with CISA’s five pillars of security maturity: identity, devices, networks, applications and workloads, and data.