United States
Australia
United Kingdom
Europe
New Zealand
Canada
The Cybersecurity and Infrastructure Security Agency is urging a wholesale shift in how organizations track and retire aging technology, unveiling a two-pronged push that pairs a new mandate for federal civilian agencies with an international data standard designed to automate end-of-life monitoring.
CISA said attackers are repeatedly breaking into public- and private-sector networks by targeting edge devices—such as VPNs, firewalls, and routers—that have reached end of support and no longer receive patches. Those footholds have enabled intrusions, long-term persistence, and data theft across critical infrastructure and government systems.
To curb that risk inside federal networks, CISA issued Binding Operational Directive 26-02 directing civilian agencies to identify and replace end-of-support (EOS) edge devices, keep software up to date, and remediate known vulnerabilities. While the directive is compulsory only for federal civilian agencies, the agency is calling on all organizations to take similar steps as part of their vulnerability management programs.
At the same time, CISA is backing OpenEoX, a machine-readable, open standard intended to make it far easier for buyers and defenders to learn when products are nearing or past end of support. Developed through the OASIS Open standards body, OpenEoX provides a lightweight JSON schema for sharing product lifecycle milestones and is designed to plug into widely used security practices and formats, including Software Bills of Materials (SBOMs) and the Common Security Advisory Framework (CSAF).
The aim is to replace today’s patchwork of vendor web pages, PDFs, and portal-restricted notices with consistent, automatable data that security tools can ingest at scale. With OpenEoX embedded in asset inventories, vulnerability scanners, and procurement systems, organizations could more quickly flag unsupported devices on their networks and plan replacements before attackers exploit them. The standard also extends beyond traditional IT to cover hardware, software, services, and AI models, reflecting how modern environments blend multiple product types.
According to the initiative’s backers, the approach offers benefits on both sides of the market. Vendors gain a standardized way to publish lifecycle milestones, cutting help-desk burden and confusion while improving transparency with customers. Operators and defenders gain a feed of structured data that can be correlated with inventories and advisories to prioritize replacements, patches, and upgrades.
CISA and the OpenEoX community outlined specific steps to drive adoption. Technology producers are encouraged to publish OpenEoX documents for their products without gating access behind customer portals or paywalls and to integrate the format into vulnerability management and asset tooling. On the customer side, organizations are urged to adapt workflows so OpenEoX data informs asset lifecycle planning, including proactive swaps of EOS devices and faster remediation of high-risk exposures, and to press suppliers and partners to adopt the standard.
Security researchers and incident responders have long warned that unmaintained edge gear is a favored target for sophisticated threat actors, precisely because it is exposed to the internet and often difficult to patch or replace once deployed in production. High-profile breaches in recent years have repeatedly traced back to appliances and platforms that were out of date or no longer supported, underscoring the operational and national-security stakes when lifecycle management lags.
By coupling a federal requirement to retire unsupported edge devices with an open standard for broadcasting product status, CISA is betting the ecosystem can move from ad hoc, manual checks to a more predictable and automated model. The agency frames that shift as essential to keeping pace with adversaries who increasingly exploit known flaws within days—or hours—of disclosure.
Documentation for the standard, reference materials, and code are publicly available through the OpenEoX website and GitHub repository, alongside a technical report published in April 2025 that details how the framework aligns with existing security standards.
