The Cybersecurity and Infrastructure Security Agency has given federal agencies 18 months to remove all end-of-support edge devices from their networks, escalating its response to what security researchers describe as a fundamental shift in nation-state attack tactics, where attackers exploit network infrastructure rather than endpoints. The binding operational directive, BOD 26-02, requires Federal Civilian Executive Branch (FCEB) agencies to inventory, update where possible, and ultimately replace firewalls, routers, VPN gateways, load balancers, and network security appliances that no longer receive vendor security patches. CISA warned that the threat from these unsupported devices is “su...