SA-22: Unsupported System Components
|SA-22a.||Replaces information system components when support for the components is no longer available from the developer, vendor, or manufacturer; and|
|SA-22b.||Provides justification and documents approval for the continued use of unsupported system components required to satisfy mission/business needs.|
Support for information system components includes, for example, software patches, firmware updates, replacement parts, and maintenance contracts. Unsupported components (e.g., when vendors are no longer providing critical software patches), provide a substantial opportunity for adversaries to exploit new weaknesses discovered in the currently installed components. Exceptions to replacing unsupported system components may include, for example, systems that provide critical mission/business capability where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option.