Level 5 CMMC - CMMC Practices


Reference: CMMC 1.02

Family: RM

Level Introduced: 3

Manage non-vendor-supported products (e.g., end of life) separately and restrict as necessary to reduce risk.

CMMC Clarification:
In any organization technologies are introduced and removed from the environment. However, it may be necessary to continue using end-of-life technologies in support of a business or sponsor mission for extended periods of time. This timeline may extend well beyond the support offered by the vendor. When a vendor no longer supports your organization’s products, they no longer provide critical software updates and security updates. This puts your organization at risk because vulnerabilities may remain unpatched. To mitigate these risks, you should manage unsupported products separately. The management of these products may include:
• determining risk exposure caused by unsupported products;
• identifying if extended support is available;
• isolating unsupported products within your organization’s network (isolation techniques could include firewalls, VLAN separation, or air-gapped networks); and
• performing an upgrade, replacement, or retirement.

You are in charge of IT operations at your organization. A system on your network has been identified as running an operating system that is over 10 years old. When you speak to the system owner she informs you that the system emulates a Department of Defense (DoD) platform that is still in the field. The system is needed to perform simulations and provide feedback to the sponsor. There is no funding to upgrade or replace the system. Additionally, the data processed is deemed Controlled Unclassified Information (CUI). While the system presents a risk to the network you understand the need to support business objectives. Since the system is old, no longer supported by the vendor, and cannot meet new cybersecurity requirements you recommend isolating the system. Working with the project manager you develop a plan to isolate the system to better protect the data and the overall organization.

Unsupported products are products that are no longer supported by the vendor. Typically they are at the end of their product life. When a product becomes unsupported, there are no security updates and patches, putting the system at an increased exposure to potential attacks. Manage unsupported products separately from your supported products with increased mitigations as necessary to reduce the risk to the organization arising from such exposure.

Source: CMMC v1.02

SA-22 (1)


The organization provides [Selection (one or more): in-house support; [Assignment: organization-defined support from external providers]] for unsupported information system components.

Supplemental Guidance:
This control enhancement addresses the need to provide continued support for selected information system components that are no longer supported by the original developers, vendors, or manufacturers when such components remain essential to mission/business operations. Organizations can establish in-house support, for example, by developing customized patches for critical software components or secure the services of external providers who through contractual relationships, provide ongoing support for the designated unsupported components. Such contractual relationships can include, for example, Open Source Software value-added vendors.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02