NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION
SA-22 — Unsupported System Components
Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or Provide the following options for alternative sources for continued support for unsupported components {{ insert: param, sa-22_odp.01 }}.
Supplemental Guidance
Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. An example of unsupported components includes when vendors no longer provide critical software patches or product updates, which can result in an opportunity for adversaries to exploit weaknesses in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capabilities where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option. Alternative sources for support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business functions. If necessary, organizations can establish in-house support by developing customized patches for critical software components or, alternatively, obtain the services of external providers who provide ongoing support for the designated unsupported components through contractual relationships. Such contractual relationships can include open-source software value-added vendors. The increased risk of using unsupported system components can be mitigated, for example, by prohibiting the connection of such components to public or uncontrolled networks, or implementing other forms of isolation.
Practitioner Notes
Identify and manage system components that are no longer supported by their vendor. Unsupported software and hardware no longer receive security patches, making them increasingly vulnerable over time.
Example 1: Maintain a technology lifecycle inventory that flags components approaching or past end-of-life. Windows Server 2012 R2, Oracle Database 12c, and similar products past their support dates should be highlighted with a planned migration timeline. Include unsupported components as POA&M items.
Example 2: If unsupported components cannot be immediately replaced, implement compensating controls: isolate them on a separate network segment, apply application whitelisting, increase monitoring, disable unnecessary services, and restrict user access. Document the risk acceptance with a specific migration plan and deadline approved by leadership.