On February 5, the Cybersecurity and Infrastructure Security Agency (CISA), the federal agency responsible for protecting government networks, issued Binding Operational Directive 26-02. That's a mandatory order to every federal civilian agency: find and remove network devices that no longer receive security updates from their manufacturers.
The devices in question are the ones that control traffic into and out of your network. Firewalls that block unauthorized access. Routers that direct data between networks. VPN gateways that let remote employees connect securely. Load balancers that distribute traffic across servers. Switches that connect devices within your office. These are the front doors and hallways of your digital infrastructure, and most companies install them and never think about them again.
The directive gives agencies three months to inventory everything and 18 months to rip out every unsupported device. That's aggressive for the federal government. And the reason it's aggressive is the reason you should care: Chinese and Russian state-sponsored hackers have been walking through these devices for years, and CISA calls the exploitation "substantial and constant."
This isn't a federal-only problem. The same Cisco firewalls, Fortinet appliances, Palo Alto gateways, and Ivanti VPN products that nation-state hackers exploited in government networks are running in private company offices right now. If your IT team can't tell you whether every network device you own still receives security updates, you have the same gap CISA just ordered the federal government to close.
What CISA is requiring
The directive
BOD 26-02, titled "Mitigating Risk From End-of-Support Edge Devices," is issued under 44 U.S.C. § 3553(b)(2), the federal statute that gives CISA authority to issue binding security directives to civilian government agencies. It was developed with the Office of Management and Budget and implements OMB policy on phasing out unsupported systems.
The directive covers any physical or virtual networking device that sits on the boundary of an organization's network and is accessible from the public internet. Think of it this way: if a device is the point where your internal network meets the outside world, it's covered. That includes firewalls, routers, switches, VPN gateways, load balancers, wireless access points, and network security appliances. The directive excludes industrial control systems (like those running factory floors) and cloud services that have already passed federal security certification.
A device reaches "end of support" when its manufacturer stops releasing security updates. Every piece of software has flaws that are discovered over time. Manufacturers release patches to fix those flaws. When a device hits end of support, those fixes stop coming, and every newly discovered flaw becomes a permanent, unlocked door.
The timeline
CISA set four deadlines, each building on the last:
Three months (May 5, 2026): Agencies must identify all unsupported devices currently on their networks using a non-public device list CISA has provided. They also need a system to track the support status of all their network equipment going forward.
12 months (February 5, 2027): All devices on CISA's list must be decommissioned or replaced with current models that still receive security updates.
18 months (August 5, 2027): All unsupported network devices must be removed, whether or not they appear on CISA's list.
24 months (February 5, 2028): Agencies must have an automated, continuous process that identifies devices reaching end-of-support status and removes them on schedule. No more set-it-and-forget-it.
CISA built this device list to help agencies identify what to look for, but it isn't public. Nick Andersen, CISA's Executive Assistant Director for Cybersecurity, told reporters the list was "developed specifically for the devices that are predominant in the federal government." For private companies, that means you'll need to check each manufacturer's website directly to see whether your equipment still gets security updates.
Why this is happening now
The hacking campaigns behind the directive
The reason CISA issued this order is blunt. Three overlapping government-backed hacking campaigns have systematically broken into organizations through these exact kinds of network devices, and the scope is larger than most executives realize.
Salt Typhoon is a hacking group linked to the Chinese government that has been active since at least 2019. It compromised over 600 organizations across 80 countries by exploiting known security flaws in network devices made by Cisco, Ivanti, Palo Alto Networks, and Fortinet. A joint advisory from CISA, NSA, and FBI, issued in August 2025, disclosed that Salt Typhoon stole 1,462 network configuration files, essentially the blueprints showing how networks are set up, from approximately 70 U.S. government and critical infrastructure organizations across 12 sectors. Telecommunications providers, government agencies, and technology companies were all hit. Norway's security service confirmed in February 2026 that it was targeted too, extending the campaign into Europe.
Volt Typhoon, another Chinese government-linked group, took a different approach. Per a separate CISA advisory, Volt Typhoon compromised thousands of small-office routers and firewalls, focusing on older Cisco and Netgear equipment that no longer receives updates. CISA, NSA, and FBI assessed that Volt Typhoon maintained hidden access to some U.S. critical infrastructure networks, including energy and water systems, for at least five years. The apparent purpose: quietly planting footholds that could be used for disruptive cyberattacks during a conflict with China.
Five years. Through devices that organizations thought were just quietly doing their jobs.
Russia's Sandworm unit, part of Russian military intelligence, shifted tactics in 2025. Rather than using expensive, previously unknown software flaws (called "zero-days" in the security world), Sandworm began targeting misconfigured and unsupported network devices, according to Amazon Threat Intelligence research. Their primary targets were energy companies in North America and Europe.
Here's the detail that should focus your attention: CISA's advisory notes that Salt Typhoon exploited only known, fixable security flaws. Not a single entry point required a previously unknown vulnerability. Every flaw they used had a patch available. The attackers got in because organizations hadn't applied those patches, or were running devices so old they couldn't receive patches at all.
Darktrace's 2024 threat report found that 40% of all malicious cyber activity in the first half of that year involved exploitation of internet-facing devices. Multiple vendor threat reports documented an eightfold increase in attacks targeting network border devices over the past two years.
Network equipment has become the preferred front door.
What it means for private companies
Our read
BOD 26-02 applies only to federal civilian agencies. CISA can't order private companies to replace their firewalls. But reading this as "not my problem" misses the bigger picture.
The joint fact sheet that CISA released alongside the directive, co-authored with the FBI and the UK's National Cyber Security Centre, explicitly urges all organizations to follow the same guidance. When three national security agencies from two countries jointly tell you to do something, that's about as close to a private sector mandate as exists without a law on the books.
BOD 26-02 will also become a benchmark for what regulators expect. Public companies are required by SEC cybersecurity disclosure rules to describe their cybersecurity risk management processes in annual reports (called 10-K filings). These are the documents investors and regulators read to understand how a company protects itself. If your process doesn't include tracking whether your network devices still receive security updates, and CISA has publicly declared that unsupported devices are an unacceptable risk, that's a gap in what you're telling the market. The SEC's examination division flagged cybersecurity governance as a "perennial examination priority" for 2026. Running known-unsupported equipment on your network while a federal directive calls it out by name is hard to defend in a filing.
Then there's the liability question. If your company suffers a data breach through an unsupported network device after CISA, FBI, and the UK's NCSC publicly warned about this exact attack method, opposing lawyers will have a clean argument: you knew, the government told you, and you didn't act. The joint fact sheet is a public record that effectively defines what reasonable care looks like for network security.
The implementation reality
This is where it gets real for mid-market companies. Federal agencies have dedicated procurement budgets and centralized IT teams. A company with 200 employees running a mix of network equipment from different manufacturers doesn't necessarily know which devices are past end-of-support.
Most companies don't have a current inventory of their network devices, let alone one that tracks when each device stops receiving security updates. The first step isn't buying new equipment. It's figuring out what you have.
CISA's phased approach is instructive here. The three-month inventory deadline comes first, before any replacement is required. Private companies should follow the same sequence: inventory first, then prioritize replacements based on which devices are most exposed to the internet.
The cost question is unavoidable. Replacing a fleet of enterprise firewalls or VPN appliances isn't cheap. But the cost of a breach through a known-unsupported device is worse, both in dollars and in the fallout. Having to tell investors and regulators that hackers got in through equipment the government specifically warned you about? That's the kind of fact pattern that makes lawsuits straightforward.
The board conversation
If you're a CISO or IT leader preparing for your next board meeting, BOD 26-02 gives you a concrete reason to act. This isn't "we should probably refresh our network equipment someday." This is "the federal government just ordered its own agencies to remove this exact equipment because foreign government hackers are actively exploiting it, and three national security agencies told private companies to do the same."
Board members understand government directives. They understand liability exposure. If you've been struggling to get budget for infrastructure upgrades, this directive is your strongest argument yet.
Practical takeaways
Actions your team can assign this week:
1. Run a full network device inventory within 30 days. Identify every firewall, router, VPN appliance, load balancer, switch, and wireless access point that connects your network to the outside world. Include both physical devices and any virtual (software-based) equivalents.
2. Check whether each device still receives security updates. Visit each manufacturer's end-of-life page (usually found by searching "[manufacturer name] end of life" or "[product name] end of support"). Flag any device that has already stopped receiving updates or will stop within 12 months.
3. Verify that all devices still receiving updates are running the latest version. Even current devices may be running outdated software. Confirm that the latest security patches are installed, particularly for flaws that Salt Typhoon exploited: CVE-2024-21887 (Ivanti products), CVE-2024-3400 (Palo Alto Networks products), and CVE-2023-20273 and CVE-2023-20198 (Cisco products). Your IT team or managed service provider can check these by CVE number.
4. Prioritize replacing any unsupported devices that face the public internet. A legacy device on an internal-only network segment carries less risk than one exposed to the open internet. Triage based on exposure.
5. Lock down remote management access on all network devices. If your firewall or router has an administration interface accessible from the public internet, that's exactly what these hackers look for. Restrict management access to internal networks only.
6. Turn on centralized logging for all network devices. The Chinese hacking groups behind these campaigns used a technique called "living off the land," where they use the device's own built-in tools rather than installing detectable malware. Traditional antivirus and security software on employee computers won't catch this. Logging network device activity and sending those logs to a central system is often the only way to spot these intrusions.
7. Brief your board or executive team on BOD 26-02 and the joint CISA/FBI/NCSC fact sheet. Frame it as a liability and regulatory disclosure issue, not just a technical one. Request budget for priority replacements.
8. Review your SEC cybersecurity disclosures if you're publicly traded or preparing for an IPO. Confirm that your annual report's risk management section addresses network device lifecycle management. If it doesn't, work with your legal team to update the language before your next filing.
9. Update your purchasing standards to require minimum support lifecycle commitments on all network device purchases going forward. When you buy a new firewall or router, confirm in writing how long the manufacturer will provide security updates. Build scheduled replacements into your budget cycle so devices don't silently age into unsupported status.
What we're watching
May 5, 2026: Federal agencies' three-month inventory deadline under BOD 26-02. Compliance reports will show how widespread the unsupported device problem is across government, and that data will inform what private companies should expect.
New York financial cybersecurity enforcement: New York's Department of Financial Services runs one of the most aggressive cybersecurity regulatory programs in the country. 2026 is the first full examination cycle under its amended Cybersecurity Regulation, with enforcement expected to focus on governance, risk assessment, and access controls. Network device security is squarely within scope for any company regulated by NYDFS.
California SB 446: California's new data breach law amendment introduces 30-day individual notice and 15-day attorney general reporting requirements. Faster notification timelines raise the stakes on preventing breaches in the first place.
SEC 2026 examination priorities: The SEC's examination division flagged cybersecurity defenses and incident response as a perennial priority, with particular attention to AI-related intrusions and vendor oversight. If you're a registered investment adviser, broker-dealer, or fund, expect questions about how you manage infrastructure security.
Salt Typhoon scope expanding: Norway's confirmation in February 2026 suggests additional allied nations may disclose that they were also targeted. Each disclosure strengthens the public record that network device exploitation is an active, global threat.
Looking ahead
BOD 26-02 is the strongest signal yet that the federal government considers unsupported network devices an unacceptable risk. The directive itself only binds federal agencies. But the joint fact sheet, the intelligence about ongoing nation-state hacking campaigns, and the regulatory environment all point in the same direction for private companies.
The attackers aren't waiting for your budget cycle. They're scanning your network right now, looking for the devices you forgot about. Start with the inventory.