CIS Control 2.2: Ensure Authorized Software is Currently Supported
Software inventory management extends beyond knowing what's installed—you must actively maintain only currently supported versions. CIS Control 2.2 requires documenting authorized software with active vendor support, or formally accepting risk for legacy applications critical to your operations.
What this means
This control mandates that your enterprise asset inventory includes only software with active vendor support and security patches. When unsupported software is necessary for business operations, you must document a formal exception that identifies compensating controls, acknowledges residual risk, and secures stakeholder sign-off. This prevents security gaps from accumulating through outdated, unpatched applications.
How to comply
- 1.Inventory all software deployed across enterprise assets with current version numbers and end-of-support dates
- 2.Identify software approaching or past end-of-support status from vendor release calendars
- 3.Prioritize upgrades to supported versions for applications with known security vulnerabilities
- 4.For mission-critical legacy software without supported versions, document formal exception requests including compensating controls (air-gapping, network segmentation, enhanced monitoring)
- 5.Obtain written approval and risk acceptance from relevant stakeholders for each unsupported software exception
- 6.Schedule quarterly reviews of exception status and supported software inventory to track progress
- 7.Implement alerts for approaching vendor end-of-support dates to trigger upgrade planning
Evidence auditors look for
- Software inventory spreadsheet or CMDB showing vendor, version, and end-of-support date for each application
- Vendor end-of-life documentation and security bulletin references for deprecated versions
- Exception request forms with documented mitigating controls and risk acceptance signatures
- Upgrade project timelines and completion records for migrated applications
- Network segmentation diagrams showing air-gapped legacy systems with compensating controls
- Audit logs from vulnerability scanning tools confirming supported software versions
- Stakeholder approval emails or governance meeting minutes authorizing unsupported software use
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically syncs vendor end-of-life calendars into your inventory and flags unsupported software versions in real-time, so you catch gaps before auditors do and streamline exception documentation workflows.
See how GRCWatch handles this control automatically
Start free trial