SA-22

SA-22 UNSUPPORTED SYSTEM COMPONENTS

Overview

Number	Title	Impact	Priority	Subject Area
SA-22	Unsupported System Components		P0	System And Services Acquisition

Instructions
The organization: SA-22a. Replaces information system components when support for the components is no longer available from the developer, vendor, or manufacturer; and SA-22b. Provides justification and documents approval for the continued use of unsupported system components required to satisfy mission/business needs.

Guidance
Support for information system components includes, for example, software patches, firmware updates, replacement parts, and maintenance contracts. Unsupported components (e.g., when vendors are no longer providing critical software patches), provide a substantial opportunity for adversaries to exploit new weaknesses discovered in the currently installed components. Exceptions to replacing unsupported system components may include, for example, systems that provide critical mission/business capability where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option.

Guidance

Support for information system components includes, for example, software patches, firmware updates, replacement parts, and maintenance contracts. Unsupported components (e.g., when vendors are no longer providing critical software patches), provide a substantial opportunity for adversaries to exploit new weaknesses discovered in the currently installed components. Exceptions to replacing unsupported system components may include, for example, systems that provide critical mission/business capability where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option.

Enhancements

SA-22 (1) Alternative Sources For Continued Support

This control enhancement addresses the need to provide continued support for selected information system components that are no longer supported by the original developers, vendors, or manufacturers when such components remain essential to mission/business operations. Organizations can establish in-house support, for example, by developing customized patches for critical software components or secure the services of external providers who through contractual relationships, provide ongoing support for the designated unsupported components. Such contractual relationships can include, for example, Open Source Software value-added vendors.

The organization provides Selection (one or more): in-house support; Assignment: organization-defined support from external providers for unsupported information system components.