Co-authored by Roland Holloway

On February 5, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 26-02, a critical mandate aimed at Federal Civilian Executive Branch (FCEB) agencies, with strong recommendations for all organizations, to address the risks posed by End-of-Support (EOS) edge devices. These devices—such as firewalls, routers, switches, VPN gateways, and load balancers—are essential gatekeepers of network security but become vulnerable once they reach EOS status, as they no longer receive security patches. This creates significant security risks, making them prime targets for sophisticated threat actors, including nation-state adversaries. 

Why the Directive Matters Now 

Edge devices are internet-facing and often integrated with identity management systems, making them high-value targets. The directive responds to widespread exploitation campaigns, such as those researched by Cisco Talos (e.g., ArcaneDoor), where attackers exploit EOS devices as permanent “open doors” to infiltrate internal networks. The directive aims to eliminate this “technical debt” of legacy hardware to strengthen cybersecurity defenses. 

Key Compliance Deadlines 

CISA’s directive sets multiple deadlines on a  two-year timeline for federal agencies: 

• Immediate: Update vendor-supported edge devices running EOS software to vendor-supported software versions.
• May 5, 2026 (3 Months): Complete an inventory of all EOS edge devices on CISA’s “EOS Edge Device List.”
• February 5, 2027 (12 Months): Begin removing and replacing devices that reached EOS before the directive was issued. Inventory devices that have become EOS or will become EOS in the succeeding 12-month period and report to CISA.
• August 5, 2027 (18 Months): Complete the removal of all identified EOS edge devices and report to CISA.
• February 5, 2028 (24 Months): Establish continuous discovery processes for EOS devices and develop a mature lifecycle management program that results in the decommissioning of devices before or as they reach EOS. 

How Cisco FedRAMP Solutions Help Address EOS Device Challenges 

Cisco’s FedRAMP-authorized Security Cloud for Government portfolio offers comprehensive cloud-native solutions designed to help government agencies meet the requirements of BOD 26-02 by mitigating risks associated with EOS edge devices. These solutions significantly reduce reliance on hardware that can reach EOS, simplify lifecycle management, and enhance an organization’s overall security posture. 

Cisco Security Cloud Control for Government 

• Cloud-Delivered Unified Management: Security Cloud Control provides centralized visibility, policy enforcement, and automation across hybrid and multicloud environments. It unifies management for all Cisco Secure Firewall form factors—physical, virtual, and cloud-based— without requiring firewall management through on-premises hardware that can become EOS.
• Real-Time Visibility and Automation: Agencies gain real-time insights into network activity, security threats, and policy events, enabling rapid identification and remediation of issues.
• Scalability and Compliance: Delivered as a SaaS platform with FedRAMP Moderate authorization in process, it scales to evolving federal infrastructure needs while ensuring compliance with federal security standards such as FedRAMP, FIPS 140, and NIST frameworks.
• Simplified Operations: Automates firewall provisioning, object updates, and fleet management, reducing operational overhead and configuration errors. 

Cisco Secure Access for Government 

• Cloud-Native Security Service Edge (SSE): This FedRAMP Moderate-authorized solution delivers a unified Secure Service Edge platform that protects users, data, and applications across devices, locations, and clouds without requiring hardware firewalls that can become EOS.
• Comprehensive Security Features: Includes integrated Zero Trust Network Access (ZTNA), Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Data Loss Prevention (DLP), Firewall as a Service (FWaaS), and VPN as a Service (VPNaaS).
• Adaptive and AI-Driven Protection: Powered by Cisco Talos threat intelligence, it provides real-time detection and prevention of threats, including DNS-layer security aligned with CISA’s Protective DNS guidance.
• Operational Simplicity: Offers a single console and policy engine for centralized management, reducing complexity and administrative overhead.
• User Experience: Provides seamless, high-performance access to all applications with a unified client combining ZTNA and VPN capabilities, enhancing workforce productivity without compromising security. 

Additional Cisco FedRAMP Solutions Supporting EOS Mitigation 

• Cisco Meraki for Government: A cloud-managed networking platform with FedRAMP Moderate authorization that simplifies network management and future-proofs infrastructure by eliminating dependency on legacy hardware.
• Cisco Duo Federal: Multi-factor authentication solution compliant with federal standards, enhancing secure access without hardware constraints.
• Cisco Secure Firewall for Government: Advanced threat protection tailored for federal environments, integrated with cloud management to avoid EOS hardware risks.
• Cisco SD-WAN for Government: Optimizes wide area networks with secure, cloud-integrated networking, reducing reliance on traditional hardware. 

Conclusion 

CISA’s BOD 26-02 underscores the urgent need for federal agencies to eliminate the security risks posed by EOS edge devices. Cisco’s FedRAMP-authorized Security Cloud for Government portfolio offers cloud-native, scalable, and solutions that reduce or remove the dependency on hardware prone to EOS challenges. Cisco Security Cloud Control and Secure Access for Government to simplify security management, enhance threat protection, and assist agencies with their efforts to meet the directive’s compliance deadlines. 

Looking Ahead: Get Ready for Blog 2 – Modernizing Government Networks with CISA BOD 26-02 Updates 

As we wrap up our deep dive into CISA BOD 26-02 and how Cisco’s FedRAMP Security Cloud solutions help mitigate risks from End-of-Support edge devices, stay tuned for the next installment in this series.

Following the upgrade of End-of-Support edge devices, blog 2 will highlight how government networks can be transformed by leveraging innovative capabilities and powerful features that many organizations may not yet be fully utilizing. This next installment will showcase how embracing these advancements can drive greater network visibility, continuous discovery, and enhanced security—empowering agencies to modernize their infrastructure and stay ahead in today’s evolving threat landscape. Get ready to transform your network into a powerful sensor that delivers actionable intelligence and supports a zero-trust security posture. Blog 2 will equip you with the knowledge to harness Cisco Security features and modernize your government network infrastructure for the future. 

References Document Links:  

1. Modernized Security for Government Agencies – Cisco Blogs
2. Cisco Secure Access for Government At-a-Glance – Cisco  
3. Cisco Security Cloud Control for Government At-a-Glance
4. Advancing government security with Cisco’s Security Service Edge  
5. Cisco Achieves Milestone FedRAMP Authorization for Meraki Cloud Networking Platform