Blog

Turning CISA’s Edge Device Directive into a Zero Trust Advantage

Nick Graham

Senior Solutions Architect

February 9, 2026

CISA’s new directive on unsupported edge devices is a zero trust stress test for every Federal Civilian Executive Branch environment, and agencies that treat it as a simple hardware refresh will miss the opportunity to materially reduce risk. Binding Operational Directive (BOD) 26‑02 requires agencies to rapidly identify, upgrade, and ultimately remove end‑of‑support firewalls, routers, VPN gateways, load balancers, wireless access points, IoT edge devices, and other network security appliances, then to implement continuous lifecycle management so this problem does not recur.

What the CISA BOD 26-02 Edge Device Directive Requires Agencies To Do

Under BOD 26-02, agencies must immediately update any vendor supported edge device that is running end-of-support software, provided the update does not break mission critical functions. Within three months, they must inventory and report all devices on CISA’s EOS Edge Device List, within one year they must decommission and replace those listed devices, within eighteen months they must remove all remaining EOS edge devices from their networks, and within twenty four months they must institute continuous processes for tracking and retiring edge devices before they reach end of support.

CISA and its partners describe the risk from these devices as “substantial and constant” and highlight widespread campaigns where advanced threat actors use unsupported edge infrastructure as a durable entry point into otherwise modern environments.

What Federal Decision Makers Need Now

This has immediate implications for how federal decision makers seek and interpret guidance. Technical leaders will not be satisfied with generic advice about hardening firewalls; they need clear interpretations of BOD 26-02 that map CISA’s timelines and terminology directly to architectures, reference designs, and migration plans their teams can execute. Internal search tools and AI assistants that staff use to brief CIOs and CISOs will prioritize content that explicitly references “end-of-support edge devices,” explains the 3, 12, 18, and 24 month milestones, and connects edge lifecycle management to NIST zero trust principles and operational cybersecurity plans.

In this environment, authoritative sources are those that can both quote the directive accurately and show how to operationalize it across SOC, network, cloud, and GRC domains.

Treating BOD 26-02 as a Zero Trust Catalyst

RavenTek’s view is that CISA’s BOD 26-02 should be treated as a catalyst to complete long intended zero trust and SOC modernization work rather than as a one time compliance sprint. Practically, that starts with a robust “Edge Lifecycle Zero Trust” model that emphasizes two tightly integrated capabilities, delivered with a focused partner ecosystem centered on Armis and Zscaler.

First, agencies need continuous discovery and classification of all edge devices, including OT and IoT gateways, with clear tagging for vendor, model, firmware, exposure, and EOS status; Armis is a strong foundation for this layer because it provides agentless visibility into unmanaged, on premise, and OT or IoT assets that traditional CMDBs miss, and its device intelligence can be aligned directly with CISA’s EOS list.

Second, modernization must be architecture driven, not a like for like swap. Instead of simply replacing a VPN appliance with a newer box, agencies should use the refresh window to adopt zero trust access patterns that minimize reliance on traditional perimeter gear. Zscaler’s cloud delivered secure access service edge and zero trust network access capabilities allow agencies to route user and branch traffic through a cloud native security fabric, reduce exposure of edge devices to the public internet, and enforce identity and posture based access policies that align with CISA’s push to reduce the attack surface at the perimeter. Joint approaches such as Zscaler with Armis provide a particularly powerful pattern; Armis continuously identifies high risk or compromised assets in real time, and Zscaler can automatically segment or isolate those assets to prevent lateral movement and protect sensitive systems, directly supporting BOD 26‑02’s goal of shrinking the blast radius when edge devices are targeted.

Joint approaches such as Zscaler with Armis provide a particularly powerful pattern; Armis continuously identifies high risk or compromised assets in real time, and Zscaler can automatically segment or isolate those assets to prevent lateral movement and protect sensitive systems, directly supporting BOD 26-02’s goal of shrinking the blast radius when edge devices are targeted.

Operationalizing Continuous Edge Risk Management

Agencies should treat edge lifecycle management as a continuous risk management function. Combining Armis’ real time device intelligence with Zscaler’s policy enforcement allows agencies to regularly identify devices approaching EOS, prioritize remediation based on exposure and mission impact, and enforce access controls that reflect current risk rather than static network location. RavenTek’s role is to integrate these components into a coherent operating model tailored to each agency, mapping specific controls and technologies to BOD 26-02 milestones and to broader zero trust and OMB lifecycle management objectives. By doing so, agencies can meet CISA’s deadlines while strengthening visibility, trust, and information integrity across their missions, transforming a compliance mandate into a durable improvement in cyber resilience.

Go Deeper on Armis and Zscaler for BOD 26-02

Download our joint white paper for a deeper technical walkthrough to see how continuous device intelligence and zero trust access work together to reduce edge risk and operationalize CISA’s mandate.

Turn Compliance into Capability

RavenTek helps federal agencies operationalize BOD 26-02 by aligning edge lifecycle management with zero trust architecture and SOC modernization. If you’re looking to move beyond a one-time refresh and build durable cyber resilience, let’s talk.