SA-22: Unsupported System Components


2019-05-20 15:48:11.984914




The organization:

Code Description
SA-22a. Replaces information system components when support for the components is no longer available from the developer, vendor, or manufacturer; and
SA-22b. Provides justification and documents approval for the continued use of unsupported system components required to satisfy mission/business needs.

Additional Guidance

Support for information system components includes, for example, software patches, firmware updates, replacement parts, and maintenance contracts. Unsupported components (e.g., when vendors are no longer providing critical software patches), provide a substantial opportunity for adversaries to exploit new weaknesses discovered in the currently installed components. Exceptions to replacing unsupported system components may include, for example, systems that provide critical mission/business capability where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option.