NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION

SA-3(3)Technology Refresh

Plan for and implement a technology refresh schedule for the system throughout the system development life cycle.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Technology refresh planning may encompass hardware, software, firmware, processes, personnel skill sets, suppliers, service providers, and facilities. The use of obsolete or nearing obsolete technology may increase the security and privacy risks associated with unsupported components, counterfeit or repurposed components, components unable to implement security or privacy requirements, slow or inoperable components, components from untrusted sources, inadvertent personnel error, or increased complexity. Technology refreshes typically occur during the operations and maintenance stage of the system development life cycle.

Practitioner Notes

Technology refresh means planning for and executing the replacement of aging systems and components before they become unsupported, insecure, or unable to meet mission requirements.

Example 1: Maintain a technology lifecycle inventory that tracks each major system and component, its vendor support end date, and your planned replacement date. For example, if Windows Server 2016 reaches end of support in January 2027, your refresh plan should have replacement underway by mid-2026.

Example 2: Tie technology refresh to your budget cycle. Each year, identify systems approaching end-of-life in the next 18 months and include replacement costs in the next budget request. Track refresh progress in your POA&M so aging technology does not become a recurring audit finding.

More System and Services Acquisition Controls

SA-1 Policy and Procedures SA-2 Allocation of Resources SA-3 System Development Life Cycle SA-3(1) Manage Preproduction Environment