RM.3.147 Manage non-vendor-supported products (e.g., end of life) separately and restrict as necessary to reduce risk.

CMMC Practice RM.3.147: Manage non-vendor-supported products (e.g., end of life) separately and restrict as necessary to reduce risk.

Links to Publicly Available Resources

CMMC CLARIFICATION (Ref CMMC – Appendix B)

In any organization technologies are introduced and removed from the environment. However, it may be necessary to continue using end-of-life technologies in support of a business or sponsor mission for extended periods of time. This timeline may extend wellbeyond the support offered by the vendor. When a vendor no longer supports your organization’s products, they no longer provide critical software updates and security updates. This puts your organization at risk because vulnerabilities may remain unpatched. To mitigate these risks, you should manage unsupported products separately. The management of these products may include:

  • determining risk exposure caused by unsupported products;
  • identifying if extended support is available;
  • isolating unsupported products within your organization’s network (isolation techniques could include firewalls, VLAN separation, or air-gapped networks); and
  • performing an upgrade, replacement, or retirement.