Manage non-vendor-supported products (e.g., end of life) separately and restrict as necessary to reduce risk.
In any organization technologies are introduced and removed from the environment. However, it may be necessary to continue using end-of-life technologies in support of a business or sponsor mission for extended periods of time. This timeline may extend well beyond the support offered by the vendor. When a vendor no longer supports your organization’s products, they no longer provide critical software updates and security updates. This puts your organization at risk because vulnerabilities may remain unpatched. To mitigate these risks, you should manage unsupported products separately. The management of these products may include: • * determining risk exposure caused by unsupported products * identifying if extended support is available * isolating unsupported products within your organization’s network (isolation techniques could include firewalls, VLAN separation, or air-gapped networks) * performing an upgrade, replacement, or retirement. Example You are in charge of IT operations at your organization. A system on your network has been identified as running an operating system that is over 10 years old. When you speak to the system owner she informs you that the system emulates a Department of Defense (DoD) platform that is still in the field. The system is needed to perform simulations and provide feedback to the sponsor. There is no funding to upgrade or replace the system. Additionally, the data processed is deemed Controlled Unclassified Information (CUI). While the system presents a risk to the network you understand the need to support business objectives. Since the system is old, no longer supported by the vendor, and cannot meet new cybersecurity requirements you recommend isolating the system. Working with the project manager you develop a plan to isolate the system to better protect the data and the overall organization.
CMMC Unsupported products are products that are no longer supported by the vendor. Typically they are at the end of their product life. When a product becomes unsupported, there are no security updates and patches, putting the system at an increased exposure to potential attacks. Manage unsupported products separately from your supported products with increased mitigations as necessary to reduce the risk to the organization arising from such exposure.
CIS Controls v7.1 2.2
NIST SP 800-53 Rev 4 SA-22(1)
RM.3.147.[a] the organization maintains a list of products the organization is using that are no longer supported by their vendors or do not have any type of vendor support;
RM.3.147.[b] the organization documents how it manages the risk of each such product within the organization; and
RM.3.147.[c] the organization tracks the risks of using non-vendor-supported products.