IG1 IG2 IG3

Ensure Authorized Software is Currently Supported

Control Group: 2. Inventory and Control of Software Assets

Asset Type: Applications

Security Function: Identify

Description

Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise’s mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently.

Implementation Checklist

1

Document current state and create baseline inventory

2

Define data fields and attributes to track

3

Assign ownership and responsibilities

4

Establish review cadence and update procedures

5

Select and deploy inventory management tool

6

Populate initial inventory with all known assets

7

Establish process for adding/removing inventory entries

8

Establish software authorization review process

9

Deploy application allowlisting technology

10

Maintain and update authorized software list

Tool Recommendations

Microsoft Intune Gartner MQ Leader, UEM 2024

Unified endpoint management platform for device enrollment, software deployment, configuration, and compliance across Windows, macOS, iOS, and Android

Microsoft · Per-user/per-device subscription

VMware Workspace ONE Gartner MQ Leader, UEM 2024

Digital workspace platform combining UEM with virtual app delivery and zero-trust access for endpoint management

Broadcom (VMware) · Per-device subscription

Flexera One Gartner MQ Leader, SAM 2024

IT asset management and software asset management platform with license optimization and SaaS management

Flexera · Enterprise subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Exploitation of End-of-Life Software Vulnerabilities

Integrity

Unsupported software no longer receives security patches, allowing attackers to exploit publicly disclosed CVEs with readily available exploit code.

Zero-Day Persistence in Legacy Applications

Confidentiality

Unsupported applications with zero-day vulnerabilities will never be patched by the vendor, giving attackers permanent exploitation capabilities against those systems.

Vulnerabilities (When Safeguard Absent)

Unsupported Software in Production Without Mitigating Controls

Running end-of-life software without documented exceptions and compensating controls leaves known vulnerabilities permanently unaddressed in the environment.

No Tracking of Software Support Lifecycle

Without monitoring vendor support status, the organization is unaware when critical software transitions to end-of-life, continuing to rely on it without risk acceptance.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Document	Current inventory or catalog documentation	Maintained continuously, reviewed quarterly
Document	Process/procedure documentation for identification activities	Reviewed annually
Technical	Asset/software inventory export with required fields populated	Exported quarterly for review
Record	Inventory review meeting minutes or sign-off	Per review cycle
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Software Asset Management Policy

Control 2

Related Safeguards in Control 2

2.1 Establish and Maintain a Software Inventory

2.3 Address Unauthorized Software

2.4 Utilize Automated Software Inventory Tools

2.5 Allowlist Authorized Software

2.6 Allowlist Authorized Libraries

2.7 Allowlist Authorized Scripts