NIST CSF 2.0 · All Functions · PR Protect · PR.PS Platform Security

PR.PS-02

Software is maintained, replaced, and removed commensurate with risk

Implementation examples

Ex1: Perform routine and emergency patching within the timeframes specified in the vulnerability management plan
Ex2: Update container images, and deploy new container instances to replace rather than update existing instances
Ex3: Replace end-of-life software and service versions with supported, maintained versions
Ex4: Uninstall and remove unauthorized software and services that pose undue risks
Ex5: Uninstall and remove any unnecessary software components (e.g., operating system utilities) that attackers might misuse
Ex6: Define and implement plans for software and service end-of-life maintenance support and obsolescence

Mapped NIST 800-53 r5 controls (5)

Mapped CWE weaknesses (8)

Hover any chip for the human-reviewed coverage assessment in each direction. ← = the CWE covers this subcategory; → = this subcategory covers the CWE. F / M / P = full, mostly, partial.

CWE-1391→P CWE-200→P CWE-22→P CWE-284→P CWE-287→P CWE-502→P CWE-78→P CWE-79←P

All informative references (68)

AI-SOC: AI-SOC-08
AI-SOC: AI-SOC-22
CCMv4.0: AIS-04
CCMv4.0: AIS-05
CCMv4.0: AIS-07
CCMv4.0: CCC-04
CCMv4.0: CCC-09
CCMv4.0: DSP-02
CCMv4.0: TVM-03
CCMv4.0: TVM-04
CCMv4.0: TVM-05
CCMv4.0: TVM-08
CCMv4.0: UEM-02
CCMv4.0: UEM-03
CCMv4.0: UEM-07
CIS Controls v8.0: 2.2
CIS Controls v8.0: 2.3
CIS Controls v8.1: 2.2
CIS Controls v8.1: 2.3
CRI Profile v2.0: PR.PS-02
CRI Profile v2.0: PR.PS-02.01
CRI Profile v2.0: PR.PS-02.02
CRI Profile v2.0: PR.PS-02.03
CSF v1.1: PR.IP-12
CSF v1.1: PR.MA-2
ISO/IEC 27001:2022: Mandatory Clause: None
ISO/IEC 27001:2022: Annex A Controls: 5.9
NICE Framework: DD-WRL-001
NICE Framework: DD-WRL-002
NICE Framework: DD-WRL-005
NICE Framework: DD-WRL-006
NICE Framework: IO-WRL-005
NICE Framework: IO-WRL-007
NICE Framework: OG-WRL-013
NICE Framework: PD-WRL-004
OWASP Top 10 LLM Applications: LLM03-2025
PCI DSS: 6.3.3
PCI DSS: 6.3.1
PCI DSS: 6.3.2
PCI DSS: 12.3.4
SCF: MNT-01
SCF: MNT-02
SCF: MNT-03
SCF: MNT-03.1
SCF: PRM-07
SCF: SEA-07.1
SCF: TDA-17
SCF: VPM-01
SCF: VPM-01.1
SCF: VPM-02
SCF: VPM-05
SDOS: SDOS-IA-02
SDOS: SDOS-IN-03
SP 800-171 Rev 3: 03.14.01
SP 800-53 Rev 5.1.1: CM-11
SP 800-53 Rev 5.1.1: MA-03(06)
SP 800-53 Rev 5.1.1: SA-10(01)
SP 800-53 Rev 5.1.1: SI-02
SP 800-53 Rev 5.1.1: SI-07
SP 800-53 Rev 5.2.0: CM-11
SP 800-53 Rev 5.2.0: MA-03(06)
SP 800-53 Rev 5.2.0: SA-10(01)
SP 800-53 Rev 5.2.0: SI-02
SP 800-53 Rev 5.2.0: SI-07
SP 800-81r3: 2.2.3
SP 800-81r3: 3.8.2
SP 800-81r3: 4.2.6
SSDF: PO.5.2

Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).