Most security conversations focus on what software exists in an environment. CIS Control 2.2 pushes the conversation one step further by asking a more important question:

Is that software still supported?

Because software that no longer receives vendor updates, security patches, or maintenance isn’t just outdated—it’s dangerous.

 

What Is CIS Control 2.2?

This safeguard focuses organizations on confirming that all authorized software in their environment is still supported by the vendor or developer. If it isn’t, it must be updated, replaced, or formally documented as an exception.

In short: if the vendor won’t fix it, you shouldn’t trust it.

 

Why Unsupported Software Creates Real Business Risk

Unsupported Software = Known, Unpatched Vulnerabilities

Once software reaches end-of-life, vulnerabilities don’t stop being discovered—patches stop being issued. Attackers actively scan for these known weaknesses because they’re reliable, repeatable, and often overlooked.

This is why unsupported software is frequently involved in:

• Ransomware intrusions
• Privilege escalation attacks
• Initial access via exposed services

Leaving these holes unmitigated and unresolved is especially risky for organizations of all sizes. You don’t need a sophisticated attacker—just one who knows how to exploit known flaws.

Compliance and Insurance Exposure

Many regulations and cyber insurance policies implicitly assume that systems are kept reasonably up to date. Running unsupported software can:

• Weaken audit findings
• Complicate insurance claims
• Create negligence arguments after a breach

Even if a control doesn’t explicitly say “no end-of-life software,” unsupported systems are hard to defend under scrutiny.

Operational Fragility

Unsupported software also introduces operational risk, such as:

• Compatibility issues with newer systems, hindering collaboration, productivity, and revenue generating activities
• Unexpected outages due to platform instability
• Inability to recover cleanly after incidents as systems cannot be properly restored

Security aside, unsupported software often becomes a single point of failure.

 

How To Begin Implementing Control 2.2

Add “Support Status” to Your Software Inventory

Start simple. Once you’ve built your authorized software list and inventory, add one column:

• Supported
• Unsupported
• Supported with planned retirement date

This will help clearly track product support product lifecycles and governance of inventory management

Replace or Upgrade Where Possible

Consider if supported, current versions and alternatives exist, especially for business critical and impactful systems. Organizations should prioritize:

• Operating systems
• Browsers
• Office productivity tools
• Security agents and VPN clients

These are high-impact, low-friction upgrades that dramatically reduce exposure and maintain operational delivery of a business.

Document Exceptions Thoughtfully and Track The Risk

Some legacy software can’t be replaced overnight, either due to operational dependencies, budget restrictions, timing, etc. When that happens:

Document why the exception is required to ensure awareness, accountability, and justification

Define what compensating controls (network segmentation, limited user access, proactive monitoring, etc) are helping reduce risk of the systems in question.

Set a review date to revisit the exception and make a decision on when to upgrade or remove the systems

Exceptions should be intentional and limited in count—not forgotten or unjustified.

Use Automation to Catch Version and System Configuration Drift

Keeping up with software health, inventory, versions, and vulnerabilities is an enormous task for any sized organization. Luckily, many endpoint and asset management tools and services can be used can identify software versions automatically, even helping report on upcoming End of Life systems, versions, and software. This helps catch:

• Devices that missed upgrades, updates, or other configuration gaps
• Older versions silently re-installed
• Systems drifting out of compliance over time

Consider adoption automation or endpoint and asset configuration management solutions to keep consistency and make adoption of control 2.2 sustainable.

 

The Bottom Line

Unsupported software is one of the easiest ways attackers gain access—and one of the easiest risks to reduce.

CIS Control 2.2 isn’t about perfection. It’s about making sure your environment isn’t relying on software that’s already been abandoned by the people who built it.

If the vendor has moved on, you should too.