The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered Federal Civilian Executive Branch (FCEB) agencies to strengthen asset lifecycle management for edge network devices and remove those that no longer receive security updates from original equipment manufacturers (OEMs) over the next 12 to 18 months.
The agency said the move is to drive down technical debt and minimize the risk of compromise, as state-sponsored threat actors turn such devices as a preferred access pathway for breaking into target networks.
Edge devices is an umbrella term that encompasses load balancers, firewalls, routers, switches, wireless access points, network security appliances, Internet of Things (IoT) edge devices, software-defined networks, and other physical or virtual networking components that route network traffic and hold privileged access.
“Persistent cyber threat actors are increasingly exploiting unsupported edge devices — hardware and software that no longer receive vendor updates to firmware or other security patches,” CISA said. “Positioned at the network perimeter, these devices are especially vulnerable to persistent cyber threat actors exploiting a new or known vulnerability.”
To assist FCEB agencies in this regard, CISA said it has developed an end-of-support edge device list that acts as a preliminary repository with information about devices that have already reached end-of-support or are expected to lose support. This list will include the product name, version number, and end-of-support date.
