03.16.02: Unsupported System Components
Control Familly: System and Services Acquisition
SPRS: N/A
Top Ten Failed Requirement: N/A
Supporting Publications:
N/A
Referenced in: N/A
Control Type: N/A
CPCSC Level 2: 03.16.02
CMMC Level(s): N/A
Derived From: NIST SP 800-53r5
SA-22
a. Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer.
b. Provide options for risk mitigation or alternative sources for continued support for unsupported components that cannot be replaced.
Discussion:
Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. An example of unsupported components includes when vendors no longer provide critical software patches or product updates, which can result in opportunities for adversaries to exploit weaknesses or deficiencies in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capabilities when newer technologies are unavailable or when the systems are so isolated that installing replacement components is not an option.
Alternative sources of support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational missions and business functions. If necessary, organizations can establish in-house support by developing customized patches for critical software components or obtain the services of external service providers who provide ongoing support for unsupported components through contractual relationships. Such contractual relationships can include open-source software value-added vendors. The increased risk of using unsupported system components can be mitigated by prohibiting the connection of such components to public or uncontrolled networks or implementing other forms of isolation.
Assessment Methods and Objectives
Examine [SELECT FROM: system and services acquisition policy and procedures; procedures for the replacement or continued use of unsupported system components; documented evidence of replacing unsupported system components; documented approvals (including justification) for the continued use of unsupported system components; SCRM plan; system security plan; other relevant documents or records]
Interview [SELECT FROM: personnel with system and service acquisition responsibilities; personnel responsible for component replacement; personnel with system development life cycle responsibilities; personnel with information security responsibilities]
Test [SELECT FROM: processes for replacing unsupported system components; mechanisms for supporting or implementing the replacement of unsupported system components]
NIST SP 800-171A r3 Determining Statements Determine if:
A.03.16.02.a: system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer.
A.03.16.02.b: options for risk mitigation or alternative sources for continued support for unsupported components that cannot be replaced are provided.
The Security Requirements
NIST SP 800-171r3 (USA) & ITSP.10.171 (Canada)
3.5. Identification and Authentication
3.12. Security Assessment and Monitoring
3.13. System and Communications Protection
3.14. System and Information Integrity
3.16. System and Services Acquisition
3.17. Supply Chain Risk Management
CMMC 3.0 - N/A
CPCSC - N/A