Does your organization have a formal process to replace hardware that lacks required security capabilities or cannot support secure software?
Explanation
Hardware lifecycle security is the focus, asking whether you have a formal process to replace hardware that lacks required security capabilities or cannot run secure software. This includes outdated servers, workstations, network devices, IoT devices, or specialized equipment that cannot be properly secured through updates or security controls.
Evidence could include a documented hardware lifecycle management policy that specifically addresses security requirements, replacement criteria, and timelines; hardware inventory records showing security capability assessments; and documentation of recent hardware replacements due to security concerns.
Implementation Example
Replace hardware when it lacks needed security capabilities or when it cannot support software with needed security capabilities
ID: PR.PS-03.247
Context
- Function
- PR: PROTECT
- Category
- PR.PS: Platform Security
- Sub-Category
- Hardware is maintained, replaced, and removed commensurate with risk
Related questions
- Has your organization established and maintained hardened baseline configurations for all systems that enforce security policies and provide only essential capabilities?
- Does your organization have a documented process for reviewing default configuration settings for security implications when installing or upgrading software?
- Does your organization have a process to monitor software for deviations from approved baselines?
- Does your organization implement and adhere to defined timeframes for routine and emergency patching as specified in your vulnerability management plan?
- Does your organization follow an immutable infrastructure approach for container deployments by replacing rather than updating existing container instances when updates are required?
- Does your organization have a process to identify and replace end-of-life software and services with supported versions?

