For federal agencies managing complex, distributed infrastructure, the most dangerous devices on their networks may be the ones they cannot see. Across federal assessments, agencies consistently struggle to produce a complete inventory of connected IoT devices, identify which devices carry known vulnerabilities, or enforce access controls for endpoints that were never designed to be managed by traditional IT tools. OT, IoT, and specialized systems now represent 42 percent of enterprise assets while accounting for 64 percent of mid- to high-level enterprise risk. The fastest-growing part of the federal attack surface is also the least understood.
The threat environment is not hypothetical. Ransomware attacks against OT systems surged 46 percent in 2025, and nation-state actors have demonstrated sustained interest in using unmanaged edge devices as reliable entry points into federal networks. CISA stated in its February 2026 Binding Operational Directive (BOD 26-02) that widespread exploitation campaigns by advanced threat actors targeting end-of-support edge devices represent a constant and substantial threat to federal information systems. Issued on February 5, 2026, BOD 26-02 requires all Federal Civilian Executive Branch (FCEB) agencies to inventory all end-of-support edge devices and report to CISA within 90 days, with longer-term mandates to begin decommissioning within 12 months and complete removal within 18 months. For many program managers, the May 2026 inventory deadline is already bearing down.
Traditional Security Tools were Not Built for IoT and OT
Most federal agencies have invested heavily in endpoint detection and response tools designed for managed workstations and servers. Those investments are not wasted, but they leave large portions of the environment invisible. IoT devices, industrial control systems, building management systems, and legacy OT equipment rarely support agents, cannot be enrolled into standard mobile device management platforms, and often communicate over proprietary protocols that traditional security tools cannot interpret. The result is an asset inventory that reflects only the managed IT layer, while the broader cyber-physical environment grows unchecked and unmonitored.
The Compliance Gap is Structural, Not Operational
The compliance gap this creates is structural, not operational, while the broader cyber-physical environment grows unchecked and unmonitored. This is not a tooling failure. It is a mismatch between how these environments operate and how they are being secured. An agency can implement a rigorous vulnerability management program, harden its software stack, and still carry critical exposure through a legacy HVAC controller, a networked sensor array, or an end-of-support firewall sitting at the edge of a classified enclave. BOD 26-02 converts that structural gap into a compliance obligation with hard deadlines. Attempting to address it by assigning IT staff to manually catalog devices or running periodic scans against environments not designed for that activity will not produce the continuous, authoritative visibility the directive requires. Discovery conducted once to satisfy a reporting deadline is not an asset management program; it is a temporary snapshot that begins aging the moment it is submitted.
From Periodic Discovery to Continuous Visibility
RavenTek approaches IoT and OT security as an asset visibility problem before it becomes a threat response problem. For most agencies, the challenge is not a lack of data. It is the absence of a continuous, authoritative view of devices that were never designed to be managed by traditional IT security models.
Addressing this requires a shift from periodic discovery to continuous visibility across both internal environments and external exposure. Passive, agentless discovery enables agencies to identify and classify devices without disrupting operations, while external attack surface intelligence provides a necessary outside-in perspective on what may already be visible to adversaries.
When these capabilities are integrated into a broader zero trust and compliance framework, discovery becomes actionable. Asset inventories evolve into living systems that inform risk prioritization, remediation workflows, and reporting aligned to mandates such as BOD 26-02 and the Secure Connectivity Principles for Operational Technology.
Bridging Internal Visibility and External Exposure
RavenTek brings these capabilities together through its federal practice, leveraging technologies such as Armis for agentless discovery and Censys for external exposure intelligence to create a unified view of the cyber-physical environment. Together, these approaches address two of the most persistent blind spots in federal environments: the devices agencies do not know are operating internally, and the exposure they do not realize is visible externally.
Four Steps to Establish a Defensible Baseline
Program managers and security leads working toward BOD 26-02 compliance have a narrow window before the May 2026 inventory reporting deadline. Four actions can help agencies establish a defensible baseline this quarter. First, initiate a passive device discovery exercise across all networked environments, including IT, OT, and building infrastructure, to generate an initial device census. Second, map discovered assets against the CISA end-of-support edge device list and prioritize those with known active exploitation history. Third, conduct an external attack surface assessment to identify internet-facing exposure that may not be reflected in internal asset records. Fourth, engage RavenTek early in the compliance workflow; the inventory and reporting artifacts BOD 26-02 requires are not a one-time exercise but an ongoing discovery capability that must become part of the agency’s security operations baseline.
Compliance Requires More Than a One-Time Inventory
Agencies working toward BOD 26-02 compliance need more than a one-time inventory. They need a repeatable, defensible approach to understanding and managing their evolving attack surface.
RavenTek supports federal teams across this lifecycle, from initial discovery through continuous monitoring and compliance reporting, helping translate visibility into sustained operational control.
Go Deeper on Armis and Zscaler for BOD 26-02
Download our joint white paper for a deeper technical walkthrough to see how continuous device intelligence and zero trust access work together to reduce edge risk and operationalize CISA’s mandate.
Get Ahead of BOD 26-02 Deadlines
Build the visibility and inventory foundation required before reporting deadlines hit.
