US Gov Directive Cracks Down on Unsupported Edge Devices 

CISA is ordering federal civilian government agencies to weed out and remove end-of-support edge devices in their environments, which have historically been widely targeted by threat actors.

CISA’s Thursday binding operational directive specifically addresses unsupported edge devices, which pose a two-fold security challenge. The edge devices themselves, which physically reside on the network perimeter edge, can give threat actors extensive reach into organizations’ networks. And because they are end-of-support, they are no longer maintained by the issuing vendors - meaning if a new vulnerability is found, the devices won’t receive supported updates. 

“The imminent threat of exploitation to agency information systems running EOS [end-of-support] edge devices is substantial and constant, resulting in a significant threat to federal property,” according to CISA in its directive. “CISA is aware of widespread exploitation campaigns by advanced threat actors targeting EOS edge devices. Recent public reports of campaigns targeting certain vendors highlight actors' attempts to use these devices as a means to pivot into FCEB information system networks.”

Notably, unsupported devices shouldn’t reside anywhere on federal networks, CISA urged, and agencies should be working to identify hardware and software that are nearing their end-of-support dates and making a plan to decommission these. 

In the short term, agencies should immediately update supported edge devices, the directive orders. Then, agencies must inventory unsupported edge devices across their networks, and find and remediate flaws that exist on these devices, within three months. To facilitate this process, CISA has created an EOS Edge Device List that includes IT product names, version numbers, and end-of-support dates. The list has not been publicly released. 

“The United States faces persistent cyber campaigns that threaten both public and private sectors, directly impacting the security and privacy of the American people."

Within a year, federal agencies will then be required to “decommission all identified devices listed in the CISA EOS Edge Device List with an EOS date on or before this twelve-month deadline from systems owned or operated by agencies, or on behalf of an agency, replacing devices as needed with vendor-supported devices that can receive security updates,” according to the directive. 

In the longer term, agencies must decommission all identified edge devices from their networks (within 18 months) and create a process for continually finding these types of devices (within 24 months). 

Edge devices from companies like Ivanti and Fortinet have been widely targeted by threat actors in campaigns over the past years. In December, researchers with Amazon Threat Intelligence team outlined a years-long Russian state-sponsored campaign targeting misconfigured customer network edge devices, for instance. 

“The United States faces persistent cyber campaigns that threaten both public and private sectors, directly impacting the security and privacy of the American people,” according to CISA. “These campaigns are often enabled by unsupported devices that physically reside on the edge of an organization’s network perimeter.”