Requirement text: RM.3.147: Manage non-vendor-supported products (e.g., end of life) separately and
restrict as necessary to reduce risk.
DISCUSSION FROM SOURCE: CMMC
Unsupported products are products that are no longer supported by the vendor. Typically
they are at the end of their product life. When a product becomes unsupported, there are no
security updates and patches, putting the system at an increased exposure to potential
attacks. Manage unsupported products separately from your supported products with
increased mitigations as necessary to reduce the risk to the organization arising from such
exposure.
CMMC CLARIFICATION
In any organization technologies are introduced and removed from the environment.
However, it may be necessary to continue using end-of-life technologies in support of a
business or sponsor mission for extended periods of time. This timeline may extend well
beyond the support offered by the vendor. When a vendor no longer supports your
organization’s products, they no longer provide critical software updates and security
updates. This puts your organization at risk because vulnerabilities may remain unpatched.
To mitigate these risks, you should manage unsupported products separately. The
management of these products may include:
• determining risk exposure caused by unsupported products;
• identifying if extended support is available;
• isolating unsupported products within your organization’s network (isolation
techniques could include firewalls, VLAN separation, or air-gapped networks); and
• performing an upgrade, replacement, or retirement.
Example
You are in charge of IT operations at your organization. A system on your network has been
identified as running an operating system that is over 10 years old. When you speak to the
system owner she informs you that the system emulates a Department of Defense (DoD)
platform that is still in the field. The system is needed to perform simulations and provide
feedback to the sponsor. There is no funding to upgrade or replace the system. Additionally,
the data processed is deemed Controlled Unclassified Information (CUI). While the system
presents a risk to the network you understand the need to support business objectives. Since
the system is old, no longer supported by the vendor, and cannot meet new cybersecurity
requirements you recommend isolating the system. Working with the project manager you
develop a plan to isolate the system to better protect the data and the overall organization.
References
• CMMC
• CIS Controls v7.1 2.2
• NIST SP 800-53 Rev 4 SA-22(1)