Do you have a fully implemented solution support strategy that defines how many concurrent versions you support?
Explanation
Version support is the focus of this item: assessors want to know that you have a defined strategy spelling out how many concurrent versions of your software you keep supported at once.
In security terms, this matters because older, unsupported versions may contain unpatched vulnerabilities that pose security risks. A clear version support policy helps customers understand when they need to upgrade to maintain security compliance and receive security updates.
The guidance specifically asks you to list the current version you support and what percentage of customers are using that version. This helps the assessor understand if most of your customers are on secure, supported versions or if there's a significant portion using potentially vulnerable older versions.
A good answer should include:
- Confirmation that you have a documented version support policy
- The number of concurrent versions you support (e.g., the current version and one previous version)
- The specific version numbers currently supported
- The percentage of customers on each supported version
- Your approach to end-of-life notifications and migration support
This question helps organizations evaluate the security risk of adopting your solution based on how well you manage the lifecycle of your product versions.
Guidance
List the current version you support and what percentage of customers are utilizing that version.
Example Responses
Example Response 1
Yes, we have a fully implemented solution support strategy We support two concurrent versions of our platform: the current version (v4.2) and one previous version (v4.1) Currently, 78% of our customers are on v4.2, while 22% remain on v4.1 We provide security updates for both versions When a new version is released, we notify customers using the previous version that they have 6 months to upgrade before that version reaches end-of-life status We provide detailed migration guides and optional professional services to assist with version upgrades.
Example Response 2
Yes, our company maintains a formal version support policy that defines our approach to concurrent version support We currently support three concurrent versions of our software: the current release (v7.5.2) and two previous major versions (v6.8.4 and v5.9.7) The distribution of our customer base across these versions is as follows: 65% on v7.5.2, 25% on v6.8.4, and 10% on v5.9.7 All supported versions receive security patches, though feature updates are only provided for the current version We communicate our version support roadmap quarterly to customers and provide at least 12 months' notice before any version reaches end-of-life status.
Example Response 3
No, we currently do not have a fully implemented solution support strategy that defines how many concurrent versions we support We generally focus on maintaining our latest version (currently v2.3) with approximately 60% of our customers using it, while the remaining 40% use various older versions We address security issues on a case-by-case basis across all versions still in use by customers, but we don't have a formal policy defining version support timelines or end-of-life procedures We recognize this as a gap in our processes and are currently developing a formal version support strategy that we expect to implement within the next quarter.
Context
- Tab
- Organization
- Category
- Change Management
Related questions
- Will the institution be notified of major changes to your environment that could impact the institution's security posture?
- Does the system support client customizations from one release to another?
- Do you have an implemented system configuration management process (e.g.,secure "gold" images, etc.)?
- Do you have a documented change management process?
- Does your change management process minimally include authorization, impact analysis, testing, and validation before moving changes to production?
- Does your change management process verify that all required third-party libraries and dependencies are still supported with each major change?

