STIG ID - BACF1002: Document a Migration Plan for Removing or Upgrading OS Software

Severity
: 2 - Medium
A software vendor's code can contain vulnerabilities that can be exploited to cause denial of services or violate the integrity of your organization's systems or data on the systems. Vendors often provide Patches to correct these vulnerabilities. When vendor's products become unsupported, patches are no longer available, leaving the system exposed to future vulnerabilities.
This STIG article provides guidance to ensure that a documented migration plan exists.
The organization will ensure that a documented migration plan exists to monitor system software products versions and releases for end-of-life and non-support dates. Plan will include processes for notification to management and to upgrade to current supported versions of the products.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps
:
  1. Verify with the Information Systems Security Officer (ISSO) that a documented migration plan exists to monitor system software products versions and releases for end-of-life and non-support dates and to notify management to upgrade to supported versions of the products.
  2. If product support is provided through an outside group or organization, verify that they have a process to notify your organization of unsupported software.
  3. If a documented migration plan exists,
    your organization does not have an audit finding
    .
  4. If a documented migration plan does not exist,
    your organization has an audit finding
    . See Remediate Audit Finding.
Remediate Audit Finding
Only the ISSO verifies that a migration process is documented and followed for unsupported software.
Follow these steps:
  1. Ensure the ISSO creates a documented migration plan.
  2. Review your organization's documented migration plan to ensure procedures to monitor system software product versions and releases for end-of-life and non-support dates are included as well as steps to notify management to upgrade to supported versions. If product support is provided through an outside group or organization, verify that they have a process to notify your organization of unsupported software.
A documented migration plan ensures the integrity of your system controls.
Control Correlation Identifier (CCI)
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG.  For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-000409, CCI-001225
CCI
:
CCI-000409
Published Date
:
2009-09-18
Definition
:
The organization updates the inventory of information system components as an integral part of component removals.
Type
:
policy
References
:
NIST: NIST SP 800-53 (v3): CM-8 (1)
NIST: NIST SP 800-53 Revision 4 (v4): CM-8 (1)
NIST: NIST SP 800-53A (v1): CM-8 (1).1
CCI:
CCI-001225
Published Date:
2009-09-22
Definition:
The organization identifies information system flaws.
Type:
policy
References:
NIST:NIST SP 800-53 (v3): SI-2 a
NIST: NIST SP 800-53 Revision 4 (v4): SI-2 a
NIST: NIST SP 800-53A (v1): SI-2.1 (i)