Binding Operational Directive 26-02 sets deadlines for edge device replacement

In this Help Net Security video, Jen Sovada, General Manager, Public Sector at Claroty, explains CISA’s Binding Operational Directive 26-02 and what it means for federal agencies. The directive requires agencies to inventory, report, decommission, and replace unsupported edge devices such as firewalls, routers, switches, load balancers, and wireless access points.

Unsupported devices don’t receive security updates. This makes them high risk entry points for attackers. Agencies must identify these devices within three months and complete replacement within 12 to 18 months.

Jen outlines the need for continuous asset discovery, real-time monitoring, and risk-based lifecycle management. Agencies should track all connected devices, prioritize replacement based on mission impact, apply patches where possible, and segment networks to limit lateral movement.

The directive is about reducing risk to federal systems, protecting critical services, and supporting national security through proactive device management.