By Brandon Hancock, J.D., CMMC-RP
CISA's February 5, 2026 Binding Operational Directive 26-02 applies to federal civilian executive branch agencies, not directly to every contractor. But contractors that operate, maintain, or connect to federal systems should read it carefully: unsupported edge devices are no longer just an IT refresh problem.
Why edge devices draw federal attention
Edge devices sit at the boundary of networks. Firewalls, routers, VPN appliances, secure gateways, switches, wireless controllers, and other internet-facing devices often control the path between a trusted environment and the outside world. When those devices are no longer supported by the vendor, they may stop receiving security updates. When they are internet-facing, the risk compounds.
CISA's directive focuses on federal agencies, but the underlying risk is the same in contractor environments. If a contractor uses an unsupported VPN appliance to administer a federal information system, provide managed services, exchange controlled unclassified information, or support agency operations, the weakness can become part of the government's risk picture.
The key point is lifecycle management. A device that was acceptable when installed can become unacceptable when support ends.
This is a contract-performance issue
Contractors sometimes separate asset lifecycle management from compliance. That separation is increasingly untenable. FAR 52.204-21, DFARS 252.204-7012, NIST SP 800-171, agency cloud requirements, and customer security addenda all depend on the contractor maintaining a reasonably secure environment. Unsupported edge devices can undermine access control, system integrity, incident detection, and vulnerability remediation.
A contractor may also face performance questions if an agency-directed remediation requires urgent replacement of hardware that the contractor should have planned for. If the contract requires continuous service delivery, security operations, or system availability, a surprise replacement can become a schedule and cost issue.
What contractors should do with BOD 26-02
Contractors should not claim that BOD 26-02 automatically applies to all private systems. Instead, they should use it as a planning signal. Federal customers are being directed to identify and mitigate unsupported edge-device risk. Contractors that support those customers may be asked for inventories, support status, replacement timelines, and compensating controls.
For companies preparing for CMMC or agency security reviews, the directive also supports a broader evidence point: vulnerability management is not only scanning. It includes knowing when assets are no longer supportable.
What this means for government contractors
A contractor should be able to answer three questions quickly.
First, what edge devices do we use in systems that support federal work? Second, what is the vendor support status and end-of-support date for each device? Third, what is the replacement, isolation, or decommission plan for any device approaching end of support?
If those answers require manual research across invoices, network diagrams, and tribal knowledge, the contractor has a lifecycle-management gap. That gap may not be visible in a control checklist, but it can become visible during an incident or customer review.
Subcontractors matter too. A prime contractor may rely on a managed service provider or telecom provider for remote access. If the prime cannot explain the lifecycle status of the devices that secure its federal work, it may not be able to defend its security posture to the customer.
Next step: add support status to the asset inventory
Update the asset inventory for all edge devices connected to federal work. Add:
- vendor;
- model;
- firmware or software version;
- internet exposure status;
- federal-work dependency;
- vendor support status;
- end-of-support date;
- replacement owner;
- replacement funding source; and
- interim compensating controls.
Then review the list quarterly. Unsupported edge devices should not become a discovery item after an incident.
Sources
- BOD 26-02: Mitigating Risk From End-of-Support Edge Devices, Cybersecurity and Infrastructure Security Agency, February 5, 2026.
- CISA Directives Catalog, Cybersecurity and Infrastructure Security Agency, accessed July 2, 2026.