CISA’s new Binding Operational Directive, BOD 26-02: Mitigating Risk from End-of-Support Edge Devices, addresses one of the most persistent and dangerous blind spots in modern enterprise security: unsupported devices quietly operating at the edge of the network.
While the directive is scoped to edge devices, its implications are much broader. You cannot identify unsupported edge risk without first understanding every connected device in your environment. And that is where most organizations fall short.
This directive is not theoretical. It reflects the reality we see every day across customer environments.
At Phosphorus, we consistently find that roughly 26% of an organization’s connected devices are end of life or end of support. That single category represents the greatest edge risk most organizations face.
Unsupported Devices Are a Dead End for Remediation
End-of-support devices create a security condition that traditional IT teams are not equipped to handle.
These devices are almost always running outdated, vulnerable firmware. When a zero-day vulnerability emerges, and the affected device is no longer supported, there is no remediation path. No patch is coming. No vendor fix exists. The organization is left with only two options: accept the risk or remove the hardware.
In practice, many of these devices remain in place because organizations lack visibility into where they are, what they are, or whether they are even still supported.
CISA’s directive directly targets this failure mode by requiring agencies to inventory edge devices, identify those that are unsupported, and take decisive action.
That pressure is necessary.
Why Traditional Tools Leave Organizations Guessing
Although BOD 26-02 focuses on edge devices, organizations cannot comply by looking at the edge in isolation.
Most enterprises rely on traditional vulnerability management or cyber exposure management platforms to understand device risk. These tools work well for servers, endpoints, and known IT assets. They were not designed to handle the diversity, sensitivity, and protocol complexity of xIoT environments.
As a result, they often lack the device-level detail required to accurately identify:
- Exact device make, and model
- Whether a device is end of support or end of life
- Whether firmware is vendor-supported or permanently unpatchable
Phosphorus Is Purpose-Built for This Exact Problem
Phosphorus was designed specifically to address unmanaged and unsupported devices across IoT, OT, IIoT, and IoMT environments.
The Phosphorus platform accurately identifies and assesses every connected device on the network, including determining whether a device is end-of-life or end-of-support based on manufacturer data and granular device model details.
This is not guesswork. It is derived from direct, safe interaction with devices using their native protocols. That level of precision matters when decisions involve decommissioning hardware or accepting operational risk.
Discovery alone is not enough. Phosphorus goes beyond inventory to provide actionable risk context, including:
- Identification of end-of-support or end-of-life devices
- Firmware version analysis and known vulnerability exposure
- Configuration and credential risk assessment
This is the foundation required to comply with BOD 26-02 in a meaningful way.
A Necessary Forcing Function
We applaud CISA’s directive because it acts as a forcing function for organizations to confront risks that have been allowed to accumulate for years.
The directive drives four critical outcomes:
- Surface exposures quickly by requiring a comprehensive edge device inventory
- Inventory and assess impacted devices, including support status
- Upgrade what is still supported to reduce exposure
- Decommission what is not, eliminating risk that cannot be remediated
Equally important, the directive emphasizes the need for continuous monitoring and control to prevent the same problem from recurring in the future.
That last point is often overlooked. Unsupported devices are not a one-time cleanup problem. They are a lifecycle management problem.
The Operational Takeaway Is Straightforward
The lesson from BOD 26-02 is clear and applicable far beyond federal agencies.
Organizations must:
- Identify and assess every connected device on the network, including support status
- Stop at nothing less than full visibility, not partial discovery
- Reduce risk through active remediation, not documentation
Harden and manage edge devices continuously through strong credential hygiene, current firmware, and secure configurations
When devices fall out of support, the decision should be intentional and informed, not accidental and invisible.
If you are responsible for edge risk and do not know which of your devices are already unsupported, that uncertainty is the risk.
Phosphorus can help. Schedule a demo to see how quickly Phosphorus can help you identify End-of-support devices: https://phosphorus.io/request-a-demo/
