CMMC Practice RM.3.147

Manage non-vendor-supported products (e.g., end of life) separately and restrict as necessary to reduce risk.


CMMC Version 1.02, pg. 210

Bold Coast Security Guidance

For Level 1 compliance you must have a practice in place to provide compensating controls for products at "end-of-life" or past that milestone, where the vendor is no longer supporting those products with updates and security patches. For Level 2, a policy must be in place to require the practice. For Level 3 compliance, a detailed management plan must also be in place to describe the step-by-step procedures that enable your organization to meet its policy requirements.

Discussion From Source

CMMC Unsupported products are products that are no longer supported by the vendor. Typically they are at the end of their product life. When a product becomes unsupported, there are no security updates and patches, putting the system at an increased exposure to potential attacks. Manage unsupported products separately from your supported products with increased mitigations as necessary to reduce the risk to the organization arising from such exposure.


  • CMMC
  • CIS Controls v7.1 2.2
  • NIST SP 800-53 Rev 4 SA-22(1)