PR.PS-02: Software is maintained, replaced, and removed commensurate with risk


[ Note: Subcategories do not have detailed descriptions. However NIST has provided the following implementation examples.]

Implementation Examples

1st: 1st Party Risk

Ex1: Perform routine and emergency patching within the timeframes specified in the vulnerability management plan

Ex2: Update container images, and deploy new container instances to replace rather than update existing instances

Ex3: Replace end-of-life software and service versions with supported, maintained versions

Ex4: Uninstall and remove unauthorized software and services that pose undue risks

Ex5: Uninstall and remove any unnecessary software components (e.g., operating system utilities) that attackers might misuse

Ex6: Define and implement plans for software and service end-of-life maintenance support and obsolescence