SA-22 Unsupported System Components
The organization:
SA-22a.: Replaces information system components when support for the components is no longer available from the developer, vendor, or manufacturer; and
SA-22b.: Provides justification and documents approval for the continued use of unsupported system components required to satisfy mission/business needs.
Applicable CNSSI 1253 Baselines
Confidentiality
- L
- M
- H
Integrity
- L
- M
- H
Availability
- L
- M
- H
Supplemental Guidance
Support for information system components includes, for example, software patches, firmware updates, replacement parts, and maintenance contracts. Unsupported components (e.g., when vendors are no longer providing critical software patches), provide a substantial opportunity for adversaries to exploit new weaknesses discovered in the currently installed components. Exceptions to replacing unsupported system components may include, for example, systems that provide critical mission/business capability where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option.