Back to Control Explorer
RM.3.147
Content
Control Acronym
RM
Family
Risk Management
CMMC Level
3
800-171 Control #
N/A
CMMC Description
Manage non-vendor-supported products (e.g., end of life) separately and restrict as necessary to reduce risk.
CMMC Clarification
In any organization technologies are introduced and removed from the environment. However, it may be necessary to continue using end-of-life technologies in support of a business or sponsor mission for extended periods of time. This timeline may extend well beyond the support offered by the vendor. When a vendor no longer supports your organization’s products, they no longer provide critical software updates and security updates. This puts your organization at risk because vulnerabilities may remain unpatched. To mitigate these risks, you should manage unsupported products separately. The management of these products may include: • * determining risk exposure caused by unsupported products * identifying if extended support is available * isolating unsupported products within your organization’s network (isolation techniques could include firewalls, VLAN separation, or air-gapped networks) * performing an upgrade, replacement, or retirement. Example You are in charge of IT operations at your organization. A system on your network has been identified as running an operating system that is over 10 years old. When you speak to the system owner she informs you that the system emulates a Department of Defense (DoD) platform that is still in the field. The system is needed to perform simulations and provide feedback to the sponsor. There is no funding to upgrade or replace the system. Additionally, the data processed is deemed Controlled Unclassified Information (CUI). While the system presents a risk to the network you understand the need to support business objectives. Since the system is old, no longer supported by the vendor, and cannot meet new cybersecurity requirements you recommend isolating the system. Working with the project manager you develop a plan to isolate the system to better protect the data and the overall organization.
800-171 Description
800-171 Discussion
N/A
Other Source Discussion
CMMC Unsupported products are products that are no longer supported by the vendor. Typically they are at the end of their product life. When a product becomes unsupported, there are no security updates and patches, putting the system at an increased exposure to potential attacks. Manage unsupported products separately from your supported products with increased mitigations as necessary to reduce the risk to the organization arising from such exposure.
CIS Control References
CIS Controls v7.1 2.2
NIST 800-53 Control Ref.
NIST SP 800-53 Rev 4 SA-22(1)
CMMC Derived
CMMC
NIST CSF Control References
NIST 800-171 References
Applicable FAR Clause
NIST CSF Control Reference
CERT RMM Reference
Modification of NIST 800-171B Reference
NIST 800-171B Reference
UK NCSCCyber Reference
AS ACSC Reference
Sub-Criterias
Assessment Sub-Criteria 1
RM.3.147.[a] the organization maintains a list of products the organization is using that are no longer supported by their vendors or do not have any type of vendor support;
Assessment Sub-Criteria 2
RM.3.147.[b] the organization documents how it manages the risk of each such product within the organization; and
Assessment Sub-Criteria 3
RM.3.147.[c] the organization tracks the risks of using non-vendor-supported products.