BLUF

 BOD 26-02 (per its title) is intended to drive federal agencies to eliminate or tightly mitigate the cybersecurity risk posed by end-of-support (EoS) internet-facing “edge devices” (e.g., firewalls, VPN concentrators, routers, ADC/load balancers) by requiring agencies to identify them, reduce/close exposure, and replace or otherwise mitigate them—plus report status to CISA.

Required actions

Identify

Build a complete inventory of edge devices + support status

What to do

Enumerate all edge devices (internet-facing and boundary devices), including: make/model, OS/firmware, location, owner, exposure points, and vendor support/EoS date.

Flag devices that are: (a) internet-accessible, (b) remotely administered, (c) in critical paths (identity, email, core networking), (d) EoS / no longer receiving security updates.

Typical owners

·       Network Engineering / Infrastructure Ops (primary technical inventory)

·       IT Asset Management / CMDB team (authoritative record)

·       System Owners (confirm ownership/mission criticality)

·       CISO / Risk team (classification and risk acceptance logic)

Decide: Triage and prioritize EoS edge devices by risk

What to do

·       Rank EoS devices by exploitability + impact: internet exposure, exposed admin interfaces, known exploited history, privileged access paths, and logging/visibility gaps.

·       Identify “can’t replace fast” cases that will require compensating controls + formal risk acceptance.

Typical owners

·       Vulnerability Management (risk scoring, known exploit exposure inputs)

·       SOC / Threat Intel (threat-driven prioritization)

·       CISO (final prioritization and risk decisions)

Act: Remove exposure and apply compensating controls immediately for EoS devices

What to do

Common required control set for edge devices

·       Remove internet-exposed management interfaces (or restrict to tightly controlled admin networks).

·       Enforce strong authentication (phishing-resistant MFA where feasible), least privilege, and secure admin access paths.

·       Disable unneeded services/ports/features; apply hardened configurations.

·       Segment/contain: isolate the device and restrict lateral movement and management-plane reachability.

·       Centralize logs + monitor for edge-device abuse patterns.

Typical owners

·       Network Engineering / Perimeter team (access controls, segmentation, hardening)

·       IAM team (MFA/privileged access controls)

·       SOC / SIEM engineering (logging, detections, response playbooks)

These actions track closely with joint, vendor-agnostic edge-device mitigation guidance (hardening, strong auth, disable unneeded features, secure management interfaces, central monitoring).

Replace

·       Decommission/replace EoS edge devices on a defined schedule

What to do

·       Plan and execute replacement with vendor-supported hardware/software.

·       Ensure new devices are procured/configured “secure-by-design,” patched, hardened, and onboarded to monitoring from day 1.

Typical owners

·       CIO org / Infrastructure leadership (execution priority + resources)

·       Procurement / Acquisition (purchase + contract vehicles)

·       Network Engineering (design/migration)

·       Change/Release Management (implementation control)

Govern

·       Document exceptions, risk acceptances, and POA&Ms where replacement isn’t immediate

What to do

If an EoS device must remain temporarily, document:

·       why it can’t be replaced yet,

·       what compensating controls are in place,

·       the timeline to full remediation,

·       who accepted the risk.

·       Track in POA&M and leadership risk registers

Typical owners

·       CISO / Governance, Risk & Compliance (GRC) (risk acceptance + POA&M)

·       System Owner / Authorizing Official (AO) reps (mission justification)

Report

Provide CISA-required reporting artifacts and updates

What to do

·       Submit inventories, remediation status, exception justifications, and milestones per the directive’s reporting format.

Typical owners

·       CISO/GRC (submission owner)

·       Network/Infra leads (evidence)

·       CDM Program team (if reporting is routed through CDM tooling, as is common for federal reporting workflows)

How this will impact FISMA scores and audits

BODs are compulsory for federal civilian agencies, and agencies are required to comply.

FISMA expects agencies to comply with DHS/CISA Binding Operational Directives, and this linkage is explicitly recognized in federal oversight (e.g., GAO discussion of FISMA requirements and BODs).

Expected scoring/audit effects (practical impacts)

·       Stronger posture can raise maturity in “Identify/Protect/Detect” areas

·       Better asset inventory accuracy and lifecycle control (Identify)

·       Improved boundary protection, configuration/hardening, and vulnerability exposure reduction (Protect)

·       Better log collection/monitoring of edge infrastructure (Detect)

FISMA reporting is aligned to the NIST CSF functions (Identify/Protect/Detect/Respond/Recover), so these improvements map cleanly into how programs are evaluated.

Noncompliance becomes easy audit “findings fuel”

If auditors/IGs find internet-facing EoS edge devices without documented mitigations and timelines, it can show up as:

·       A control deficiency,

·       Repeat findings (if previously noted),

·       POA&M items with leadership visibility,

·       Negative narrative in the annual FISMA evaluation.

Waivers/exceptions will be scrutinized

OMB’s FISMA guidance contemplates agencies reporting on exceptions/waivers from OMB policies and CISA Emergency Directives and BODs—meaning “we couldn’t comply” needs to be tightly justified and tracked.

Bottom line for audits

Best case

·       Compliance work for BOD 26-02 becomes strong evidence during FISMA evaluation (better inventory discipline, reduced external attack surface, documented governance).

Worst case

·       Unmanaged EoS edge devices become a high-visibility weakness that drives POA&Ms and potentially drags down maturity narratives in multiple metric areas.