Back to Control Explorer



Control Acronym



Risk Management

CMMC Level


800-171 Control #


CMMC Description

Manage non-vendor-supported products (e.g., end of life) separately and restrict as necessary to reduce risk.

CMMC Clarification

In any organization technologies are introduced and removed from the environment. However, it may be necessary to continue using end-of-life technologies in support of a business or sponsor mission for extended periods of time. This timeline may extend well beyond the support offered by the vendor. When a vendor no longer supports your organization’s products, they no longer provide critical software updates and security updates. This puts your organization at risk because vulnerabilities may remain unpatched. To mitigate these risks, you should manage unsupported products separately. The management of these products may include: • * determining risk exposure caused by unsupported products * identifying if extended support is available * isolating unsupported products within your organization’s network (isolation techniques could include firewalls, VLAN separation, or air-gapped networks) * performing an upgrade, replacement, or retirement. Example You are in charge of IT operations at your organization. A system on your network has been identified as running an operating system that is over 10 years old. When you speak to the system owner she informs you that the system emulates a Department of Defense (DoD) platform that is still in the field. The system is needed to perform simulations and provide feedback to the sponsor. There is no funding to upgrade or replace the system. Additionally, the data processed is deemed Controlled Unclassified Information (CUI). While the system presents a risk to the network you understand the need to support business objectives. Since the system is old, no longer supported by the vendor, and cannot meet new cybersecurity requirements you recommend isolating the system. Working with the project manager you develop a plan to isolate the system to better protect the data and the overall organization.

800-171 Description

800-171 Discussion


Other Source Discussion

CMMC Unsupported products are products that are no longer supported by the vendor. Typically they are at the end of their product life. When a product becomes unsupported, there are no security updates and patches, putting the system at an increased exposure to potential attacks. Manage unsupported products separately from your supported products with increased mitigations as necessary to reduce the risk to the organization arising from such exposure.

CIS Control References

CIS Controls v7.1 2.2

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 SA-22(1)

CMMC Derived


NIST CSF Control References

NIST 800-171 References

Applicable FAR Clause

NIST CSF Control Reference

CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

RM.3.147.[a] the organization maintains a list of products the organization is using that are no longer supported by their vendors or do not have any type of vendor support;

Assessment Sub-Criteria 2

RM.3.147.[b] the organization documents how it manages the risk of each such product within the organization; and

Assessment Sub-Criteria 3

RM.3.147.[c] the organization tracks the risks of using non-vendor-supported products.

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15