03.16.02 — (a) Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer. (b) Provide options for risk mitigation or alternative sources for continued support for unsupported components that cannot be replaced.

What this control requires

(a) Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer. (b) Provide options for risk mitigation or alternative sources for continued support for unsupported components that cannot be replaced.

Source: NIST SP 800-171 R3 §03.16.02 (official control text).

Why this matters

Unsupported software and hardware are primary entry points for attackers because vendors no longer release security patches for known vulnerabilities. This control requires organizations to maintain an active lifecycle management process that tracks vendor support timelines and replaces components before they become security liabilities. When critical business systems cannot be replaced immediately, documented risk mitigation strategies—such as network isolation, compensating controls, or third-party support contracts—must bridge the gap. Without this discipline, organizations operate infrastructure with publicly documented weaknesses that adversaries actively exploit.

What evidence assessors expect

Assessors typically look for: CSV export, screenshot, PDF. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.