Ghosted No More: CISA Unleashes BOD 26-02 and OpenEoX to Kill the “End-of-Life” Security Gap

The proliferation of “abandoned” technologies at the periphery of corporate networks has increasingly evolved into an auspicious point of ingress for cyber offensives. Unsupported hardware and software, forsaken by their manufacturers, often persist within infrastructures for years, granting adversaries a strategic foothold to entrench themselves and ultimately compromise sensitive data. Researchers posit that these perimetric devices, burdened by unmitigated vulnerabilities, serve as the quintessential gateways for malware operators.

The United States Cybersecurity and Infrastructure Security Agency (CISA) has reported a recurring pattern of incidents where “End-of-Life” (EoL) edge devices play a pivotal role. The agency evaluates these components as one of the most hazardous sources of systemic risk to federal networks and critical infrastructure, noting a profound interest from state-sponsored threat actors.

To mitigate this burgeoning peril, CISA has promulgated a mandatory directive, BOD 26-02. This mandate obligates civilian federal agencies to identify and decommission unsupported perimeter hardware, ensure the timely application of software updates, and remediate known vulnerabilities. Furthermore, CISA advocates for the adoption of a commensurate approach beyond the federal sphere.

In tandem with OASIS Open, the agency is championing OpenEoX—a global, machine-readable standard designed to delineate the product lifecycle, including the definitive cessation of support. Utilizing a JSON schema, the standard is engineered for seamless integration with established protocols such as SBOM (Software Bill of Materials) and CSAF (Common Security Advisory Framework). The objective is to automate the exchange of support status data, streamline asset inventory, and expeditiously identify technologies approaching or having already surpassed their operational lifecycle.

The authors of the initiative—Chris Butera of CISA and Justin Murphy, chair of the OpenEoX technical committee—contend that manufacturers should publish OpenEoX data transparently, eschewing barriers such as paywalls or restricted portals. Concurrently, they urge developers of vulnerability scanners and asset management platforms to incorporate support for this standard. Organizations are encouraged to weave such intelligence into their existing workflows to facilitate the proactive planning of legacy device replacement and ensure that critical security remediations are applied before protection lapses.