SA-22—Unsupported System Components
>Control Description
Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or
Provide the following options for alternative sources for continued support for unsupported components [Selection (one or more): in-house support; ⚙organization-defined support from external providers].
>FedRAMP Baseline Requirements
No FedRAMP-specific parameter values or requirements for this baseline.
>Discussion
Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. An example of unsupported components includes when vendors no longer provide critical software patches or product updates, which can result in an opportunity for adversaries to exploit weaknesses in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capabilities where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option.
Alternative sources for support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business functions. If necessary, organizations can establish in-house support by developing customized patches for critical software components or, alternatively, obtain the services of external providers who provide ongoing support for the designated unsupported components through contractual relationships. Such contractual relationships can include open-source software value-added vendors.
The increased risk of using unsupported system components can be mitigated, for example, by prohibiting the connection of such components to public or uncontrolled networks, or implementing other forms of isolation.
>Cross-Framework Mappings
>Programmatic Queries
Related Services
CLI Commands
aws ssm describe-instance-information --query "InstanceInformationList[].{Id:InstanceId,Platform:PlatformName,Version:PlatformVersion}"aws inspector2 list-findings --filter-criteria '{"title":[{"comparison":"PREFIX","value":"EOL"}]}'aws configservice get-compliance-details-by-config-rule --config-rule-name approved-amis-by-idaws ec2 describe-instances --query "Reservations[].Instances[].{Id:InstanceId,ImageId:ImageId,LaunchTime:LaunchTime}" --filters Name=instance-state-name,Values=running>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What acquisition policies and procedures address the requirements of SA-22?
- •How are security and privacy requirements integrated into the acquisition process?
- •Who is responsible for ensuring that acquisitions comply with SA-22?
- •How do you assess and monitor the security posture of suppliers and vendors?
Technical Implementation:
- •How are security requirements defined and documented in acquisition contracts?
- •What mechanisms ensure that acquired systems and services meet security requirements?
- •How do you validate that vendors and service providers comply with specified security controls?
- •What secure coding practices and standards are required for developers?
Evidence & Documentation:
- •Can you provide examples of acquisition documentation that includes security requirements?
- •What evidence demonstrates that acquired systems meet security specifications?
- •Where is acquisition security documentation maintained throughout the system lifecycle?
- •Can you provide code review or static analysis results?
- •Can you provide vendor security assessment reports?
Ask AI
Configure your API key to use AI features.