A binding operational directive issued Thursday looks to combat an attack pathway that has been behind some of the biggest attacks and most common exploits in recent years.
The post CISA tells agencies to stop using unsupported edge devices appeared first on CyberScoop.
A Cybersecurity and Infrastructure Security Agency order published Thursday directs federal agencies to stop using “edge devices” like firewalls and routers that their manufacturers no longer support.
It’s a stab at tackling one of the most persistent and difficult-to-manage avenues of attack for hackers, a vector that has factored into some of the most consequential and most common types of exploits in recent years. New edge-device vulnerabilities surface frequently.
Under the binding operational directive CISA released Thursday, federal civilian executive branch (FCEB) agencies must inventory edge devices in their systems that vendors no longer support within three months, and replace them with supported devices within one year.
“Unsupported devices pose a serious risk to federal systems and should never remain on enterprise networks,” said CISA Acting Director Madhu Gottumukkala. “When the threat landscape demands decisive action, CISA will direct FCEB agencies to strengthen cyber resilience and build a stronger, safer digital infrastructure for America’s future. CISA strongly encourages non-federal organizations to adopt similar actions to strengthen the security of their edge devices.”
To aid agencies in following the directive, CISA is producing a list of end-of-service edge devices. CISA developed the directive in conjunction with the Office of Management and Budget, and puts a bit more muscle behind a decade-old OMB circular on agencies phasing out unsupported technologies.
Despite being called “binding operational directives,” CISA has no authority to mandate that agencies carry out the orders — although agencies have demonstrated they usually seek to follow them, and there are ways that CISA can work to ensure compliance. The private sector pays attention to CISA’s directives even though they don’t apply to companies.
The directive identifies the threat to federal information systems posed by unsupported edge devices as “substantial and constant,” given the access they can provide to hackers and how they are “especially vulnerable” to freshly-discovered and unpatched flaws.
“The United States faces persistent cyber campaigns that threaten both public and private sectors, directly impacting the security and privacy of the American people,” the directive reads. “These campaigns are often enabled by unsupported devices that physically reside on the edge of an organization’s network perimeter.”
The directive cites unnamed “recent public reports of campaigns targeting certain vendors highlight actors’ attempts to use these devices as a means to pivot into FCEB information system networks.”
Under the order, agencies are also told they must develop a process within two years for regularly identifying edge devices that have become unsupported or soon will.
CISA is publishing Tuesday’s directive almost one year to the day after the agency, with other federal and international agencies, released guidance on protecting edge devices.
The post CISA tells agencies to stop using unsupported edge devices appeared first on CyberScoop.
Source: CyberScoop
Source Link: https://cyberscoop.com/cisa-bod-directive-unsupported-edge-devices-firewalls-routers/