What Must Contractors Do to Comply with CISA Emergency Directive 26-03 for Cisco SD‑WAN? 2026

According to GSA guidelines, contractors must treat CISA Emergency Directive 26-03 as an Agency Critical Action that requires immediate inventory, mitigation, and reporting for all Cisco SD‑WAN appliances and controllers under contract. This paragraph addresses the opening compliance steps: inventorying endpoints, applying vendor mitigations and patches, enabling continuous logging, and completing the formal agency-level attestations to CISA. The GSA guidance intersects with agency acquisition policy, the SBA requirements for small business subcontracting, and FAR flowdowns for prime contractors; primes must require subcontractors to comply within the same deadlines. The paragraph references CISA’s timeframe for mitigation and the need to allocate funds—typically $25,000–$150,000 per major site depending on appliance count and managed-services involvement—for patching and forensics. Contractors should expect agency CIOs to require automated evidence (SIEM logs, patch records) and an attestation submitted through the agency portal or as directed by the delegated authorizing official. This opening also notes that primes must update their System for Award Management (SAM) contact details and ensure their FedRAMP-authorized cloud tooling can accept the additional log ingestion for 90 days of retained data as part of the directive’s heightened monitoring.

Per FAR 19.502, small businesses can rely on primes for flowdown of urgent cybersecurity obligations, so prime contractors must require subcontractor compliance with ED 26-03 when Cisco SD‑WAN is in-scope. The Emergency Directive stems from active exploitation of critical Cisco SD‑WAN vulnerabilities (including CVE-2026-20127) that have been observed since 2023, which CISA added to the Known Exploited Vulnerabilities (KEV) catalog. Agencies and contractors must act quickly: the technical mitigations include vendor-supplied patches, configuration changes to disable exposed services, and network segmentation to isolate affected controllers. For small businesses and 8(a)/HUBZone firms, the SBA expects primes to budget for remediation so that flowdown does not create undue financial hardship; primes should document cost-sharing, timelines, and contractor responsibilities in contract modifications under FAR clauses for changes and cybersecurity. The paragraph also explains that FedRAMP-authorized cloud services used for logging and SIEM may require increased throughput and costs during the 90-day heightened monitoring window, and contractors should coordinate with agency ISSOs to ensure evidence collection aligns with agency incident response requirements.

The SBA reports that 78% of small federal contractors rely on prime flow-downs for urgent cyber updates, which makes primes the central compliance enforcer under ED 26-03. That means primes must identify all subcontractors with Cisco SD‑WAN exposure, schedule immediate vulnerability scans, and collect attestations or remediation evidence. Contractors should use standardized templates for attestations to speed agency reporting and avoid inconsistent data that can delay authorization. The Emergency Directive explicitly requires logging and retention: enable full audit and packet-level logs where feasible, send logs to a FedRAMP-authorized cloud SIEM or agency-managed collection point, and retain logs for at least 90 days for forensic analysis. Additionally, this paragraph underscores that contractors with DoD work must ensure their actions align with DoD policies and CMMC considerations; DoD’s CMMC framework requires demonstrable cybersecurity controls for contractors handling sensitive systems and will treat ED compliance as a critical control in upcoming assessments.

According to GSA guidelines, contractors must inventory every Cisco SD‑WAN device—controllers, vManage instances, vSmart controllers, and edge devices—reporting serial numbers, software versions, IP addresses, and management access details to the agency. Under OMB M-25-21, agencies will require verifiable artifacts as part of the attestation process; collectors should include screenshots of patch installations, software version outputs, IPS/IDS alerts, and SIEM ingestion confirmations. Contractors should perform vulnerability scans with approved tools and capture full scan results. Per FAR acquisition rules, primes must issue a unilateral modification or PWS change when necessary to require subcontractor compliance. Contractors must budget for forensics and potential system replacement—expect $25,000–$150,000 in remediation per major site depending on scale—and coordinate with the agency CISO for evidence upload to the agency portal or designated CISA intake channel.

DoD's CMMC framework requires auditable controls for network security and will consider failure to meet ED 26-03 as evidence of deficient security posture in future assessments; contractors with DoD contracts should treat ED remediation as immediate CMMC control actions. Per FAR 52.204-21 and relevant DFARS clauses for DoD, contractors are responsible for incident reporting and must align ED 26-03 attestation with existing incident response timelines. The practical steps include isolating impacted devices if patches cannot be applied within 7 days, disabling remote management interfaces, restricting access to management planes via ACLs, and enabling verbose logging. Contractors with FedRAMP-authorized logging services should increase log retention and ingestion capacity to meet the 90-day retention requirement; FedRAMP tenants should confirm authorization boundary coverage for the additional log sources and update Plan of Actions and Milestones (POA&Ms) where mitigations are deferred.

Under OMB M-25-21, agencies will expect evidence-based attestations; contractors should use automated tooling to collect verifiable artifacts and reduce reporting time. According to GSA guidelines, maintain an evidence package per affected endpoint (patch logs, packet captures if safe, scan outputs, and SIEM receipts). DoD's CMMC framework requires these artifacts to be mapped to control objectives for auditability. The recommended best practices include centralizing inventory in an agency- or contractor-managed CMDB, using FedRAMP-authorized log collectors for secure transfer, and running post-patch validation scans within 24–72 hours. Also, allocate contingency funds—expected $25,000–$150,000 per site—so that emergency purchases (consultants, replacement hardware) do not delay mitigation. Lastly, engage legal and contracting officers early to align flow-down modifications under FAR clauses for cybersecurity and changes, and ensure subcontractors acknowledge the timeline and evidence requirements in writing.

Per FAR 19.502, small businesses can request reasonable assistance from primes; primes should provide templates, centralized scanning, and funding pathways to avoid compliance failures. The SBA reports that rapid compliance is achievable when primes coordinate centralized remediation and evidence collection; use a dedicated incident response team to limit operational disruption. Contractors should test roll-back procedures in lab environments before widespread patching, schedule maintenance windows, and maintain a 24/7 on-call roster during the initial 7–14 day remediation period to respond to any post-patch instability. Finally, align insurance and cyber liability coverage with the remediation costs and document all remediation expenses for potential contract adjustments or claims.