Has your organization established and implemented a formal plan for managing component end-of-life, maintenance support, and obsolescence?
Explanation
Managing technology through its decline is the focus, specifically whether you have a formal plan for component end-of-life, maintenance support, and obsolescence. Without proper planning, organizations risk using unsupported components that may contain unpatched security vulnerabilities, face unexpected costs for emergency replacements, or experience operational disruptions when critical components fail without available replacements.
Evidence could include a documented component lifecycle management policy, an inventory database with end-of-life dates for hardware and software components, replacement schedules, or vendor support contract documentation that shows planning for transitions from aging technologies.
Implementation Example
Define and implement plans for component end-of-life maintenance support and obsolescence
ID: GV.SC-10.114
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement
Related questions
- Has your organization established a documented strategy that defines the objectives of your cybersecurity supply chain risk management program?
- Has your organization developed a formal cybersecurity supply chain risk management program with documented policies, procedures, and an implementation plan with milestones that is shared with relevant stakeholders?
- Has your organization developed and implemented the processes from the cybersecurity supply chain risk management program, that align with your security strategy, objectives, policies, and procedures with documented stakeholder agreement and participation?
- Has your organization established a formal cross-functional team or committee responsible for cybersecurity supply chain risk management?
- Has your organization formally designated specific roles or positions responsible for cybersecurity supply chain risk management activities?
- Has your organization documented cybersecurity supply chain risk management roles and responsibilities in a formal policy?

