• Platform
    Platform
    Nucleus Platform
    Scale and automate your vulnerability and exposure management program
    Vulnerability Intelligence Platform
    Access centralized and enriched vulnerability intelligence
    Nucleus Insights Intelligence Feed
    AI-powered, expert-validated threat and vulnerability intelligence
    Integrations
    Discover our ecosystem of 200+ connectors
    Capabilities
    Vulnerability Aggregation
    Unify and operationalize your vulnerability data in one platform
    Risk Prioritization
    Prioritize with asset context and threat intelligence
    Vulnerability Remediation
    Automate workflows to prioritize and mitigate critical exposures
    Vulnerability Intelligence
    Enrich vulnerability findings with real-world threat intelligence
    Asset Management
    Unify asset data to automate your vulnerability and exposure management
    Plan of Action and Milestones (POAM)
    Automate POA&M compliance at scale
    Compliance Frameworks
    Align with compliance framework controls and requirements.
    MCP Server
    Interact with your data using natural language and AI tools
  • Solutions
    Public Sector
    Federal Government
    Vulnerability and exposure management for government agencies
    State, Local, and Education (SLED)
    Centralize security and simplify compliance for state and local government
    Use Cases
    Exposure Management
    Scale and automate your exposure management program
    Risk-Based Vulnerability Management
    Address vulnerabilities with risk-based context and prioritization
    Application Security
    Shift left application security with production risk context
    Cloud Vulnerability and Exposure Management
    Conquer critical exposures across hybrid clouds
    Featured Report
    Gartner EAP MQ
    Nucleus Security Recognized as a Challenger in 2025 Gartner® Magic Quadrant™ Report

    We have been recognized for our Completeness of Vision and Ability to Execute.

    GET THE REPORT
  • Partners
    Partner Program
    Program Overview
    Learn more about our growing partner program
    MSSPs
    Explore opportunities for MSSP partnerships
    Marketplaces
    Find Nucleus on leading industry marketplaces
    Partner Resources
    Partner Directory
    Explore our ecosystem of partners
    Become a Partner
    Submit your request to join our partner program
    Deal Registration
    Easily register deals with Nucleus
    Partner Portal
    Log in to our dedicated Partner Portal
    Partner Case Study
    Orange Cyberdefense
    Case Study: Orange Cyberdefense

    Orange Cyberdefense leverages Nucleus to streamline vulnerability management, reduce costs, and drive impactful security insights for its customers.

    LEARN MORE
  • Resources
    Resources
    Resource Library
    Discover customer stories, reports, research, and more
    Blog
    Stay informed with the Nucleus Node blog
    Webinars
    Learn from industry experts and Nucleus leaders
    Events
    Meet with us virtually and in-person
    CISA KEV Enrichment Dashboard
    Quickly analyze vulnerabilities identified by CISA
    Featured Resources

    Gartner Exposure Assessment Platform Magic Quadrant

    Nucleus Security recognized as a Challenger by Gartner.

    LEARN MORE

    Omdia Technical Validation

    LEARN MORE
    Featured Articles

    RSAC 2026 BINGO: Your Unofficial Survival Guide to Moscone

    READ MORE

    Exposure Assessment Platforms Are Here and They’re a Big Part of Successful CTEM

    READ MORE
    Featured Webinars

    From Zero-Day to Remediation

    OPEN WEBINAR

    Why AI Features Don’t Equal Better Vulnerability Management

    OPEN WEBINAR
    Featured Events

    VulnCon 2026 Conference

    LEARN MORE

    Billington State and Local Summit

    LEARN MORE
    Featured Content

    RSAC 2026 BINGO: Your Unofficial Survival Guide to Moscone

    LEARN MORE

    Exposure Assessment Platforms Are Here and They’re a Big Part of Successful CTEM

    LEARN MORE
  • Company
    About
    About Nucleus
    Learn more about who we are as a company
    Careers
    Explore our current openings and join the team
    News
    Read the latest news and articles
    Contact
    Contact Us
    Reach out to the Nucleus team
    Watch a Demo on Demand
    Watch our on-demand video demo
    Schedule Custom Demo
    Request a customized demo suited to your business' needs
    Pricing
    Get a quote based on your unique requirements
    Featured Content
    Omdia Tech Validation Report
    Omdia Technical Validation

    Omdia’s Technical Validation, commissioned by Nucleus, details how Nucleus helps organizations build successful vulnerability and exposure management programs.

    LEARN MORE
Watch A Demo

KNOWLEDGE CENTER

What is CISA BOD 26-02?

Public sector agencies are facing a growing challenge at the edge: devices running software that is no longer supported, no longer patched, and increasingly targeted by attackers. These assets often underpin mission-critical operations, yet they’re among the hardest to inventory, assess, and modernize.

What is BOD 26-02

The guidance in CISA BOD 26-02 on end-of-support (EoS) and end-of-life (EoL) software, particularly for internet-exposed and operational edge devices, reflects this reality. The guidance reinforces what many agencies already know: unsupported edge software is both a technical issue and a mission readiness risk. 

CISA’s BOD 26-02 Five Step Timeline 

CISA’s BOD 26-02 sets a compliance clock providing agencies with a timeline to complete a series of concrete steps by certain dates: 

  • Feb 5, 2026: Apply safe vendor-supported updates.
  • May 5, 2026: Inventory and report on edge devices that appear on CISA’s EOS list.
  • Feb 5, 2027: Decommission devices that have reached EOS.
  • Aug. 5, 2027: Replace remaining EOS edge devices with vendor-supported equipment.
  • Feb. 5, 2028: Operationalize continuous discovery and EOS tracking of edge devices. 

The Risk of Unsupported Edge Software Is a Decision Problem 

Edge devices like firewalls, VPN appliances, load balancers, and other network-connected infrastructure often sit outside traditional endpoint and server management workflows. When these devices reach the end of support, they stop receiving security updates, even as new vulnerabilities continue to emerge. 

CISA has consistently emphasized the risks associated with unsupported software. Once a product is no longer supported by the vendor, organizations lose access to security patches, technical support, and validated mitigation guidance. In many cases, newly disclosed vulnerabilities cannot be remediated at all. This leaves agencies exposed at the network edge. 

For most public sector teams, the challenge lies on the decision-making side with operational and budget constraints: 

  • Where do unsupported assets exist today?
  • Which unsupported systems are externally exposed or operate at the network edge?
  • Which ones meaningfully impact mission operations?
  • Which risks require immediate action, and which require planning, funding, or compensating controls? 

Without shared, trusted context, these decisions are slow, fragmented, and difficult to justify. 

Staying Ahead of Guidance Rather Than Chasing It 

The focus of CISA BOD 26-02 on end-of-support edge devices reflects the reality of today’s threat landscape. Attackers are targeting outdated infrastructure. Because of this, agencies are expected to both identify these risks and demonstrate how decisions are being made to manage them.

Want to Learn More About Nucleus and BOD 26-02?

See how Nucleus employs automated End of Life and End of Support operating system tracking.

Read More

© 2026 Nucleus Security. All rights reserved

Join us at RSAC March 23 – March 26 | Get a free pass, join our T2T reception, and meet with our team →