Has your organization established and implemented formal plans for managing software and service end-of-life, including maintenance support timelines and obsolescence procedures?
Explanation
Software and services that reach end-of-life (EOL) without proper planning create significant security vulnerabilities when vendors stop providing security patches and updates.
A formal EOL management plan ensures timely migration to supported alternatives, prevents security gaps, and maintains operational continuity when components become obsolete.
This planning should include identification of all software assets, their lifecycle stages, and defined transition procedures.
Evidence could include a documented EOL management policy, lifecycle tracking spreadsheets/tools showing EOL dates for key systems, migration planning documentation, or meeting minutes showing regular reviews of upcoming EOL software components.
Implementation Example
Define and implement plans for software and service end-of-life maintenance support and obsolescence
ID: PR.PS-02.246
Context
- Function
- PR: PROTECT
- Category
- PR.PS: Platform Security
- Sub-Category
- Software is maintained, replaced, and removed commensurate with risk
Related questions
- Has your organization established and maintained hardened baseline configurations for all systems that enforce security policies and provide only essential capabilities?
- Does your organization have a documented process for reviewing default configuration settings for security implications when installing or upgrading software?
- Does your organization have a process to monitor software for deviations from approved baselines?
- Does your organization implement and adhere to defined timeframes for routine and emergency patching as specified in your vulnerability management plan?
- Does your organization follow an immutable infrastructure approach for container deployments by replacing rather than updating existing container instances when updates are required?
- Does your organization have a process to identify and replace end-of-life software and services with supported versions?

