This page contains a web-friendly version of the Cybersecurity and Infrastructure Security Agency’s Binding Operational Directive 26-02: Mitigating Risk From End-of-Support Edge Devices.
A Binding Operational Directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems. 44 U.S.C. § 3552(b)(1). Section 3553(b)(2) of title 44, U.S. Code, authorizes the Secretary of the Department of Homeland Security (DHS) to develop and oversee the implementation of binding operational directives to implement cybersecurity policies, principles, standards, and guidelines issued by the Director of the Office of Management and Budget (OMB). Federal agencies are required to comply with these directives under 44 U.S.C. § 3554(a)(1)(B)(ii). These directives do not apply to statutorily defined “national security systems” or to certain systems operated by the Department of War or the Intelligence Community. 44 U.S.C. § 3553(b), (d), (e)(2), (e)(3). This directive refers to the systems to which it applies as “Federal Civilian Executive Branch” systems, and to agencies operating those systems as “Federal Civilian Executive Branch” agencies.