Legacy / EOS triage

Legacy / End-of-Support Component Triage

For devices stuck on Windows 10 IoT, RHEL 7, end-of-life kernels, or unsupported chipsets. Score the residual risk, capture the compensating controls, and export a memo a reviewer will accept.

Reviewed by

Christian Espinosa

Founder & CEO, Blue Goat Cyber

Last reviewed June 10, 2026

Legacy component

End-of-support date

Why is it still in use?

Risk factors present

Component is reachable from a network (LAN, internet, BLE/Wi-Fi)Component handles PHI or other regulated dataComponent is in a safety-critical path (therapy delivery, alarm logic)Component performs authentication or cryptographyComponent requires physical access to reach

Compensating controls in place

Network isolation / segmentation (VLAN, no inbound, allow-list egress)Submission evidence: Network architecture diagram showing the device on an isolated segment with only required outbound flows.Wrapper / sandbox around the EOS component (containerization, syscall filtering)Submission evidence: Description of the wrapper, the syscall / capability allow-list, and verification testing.Strict input validation at the boundary (no untrusted input reaches the legacy code path)Submission evidence: Input-validation specification + negative test results.Enhanced monitoring (file integrity, EDR-equivalent, anomaly detection)Submission evidence: Monitoring rule set with detection-test results and incident response procedure.Extended-support contract with the vendor (paid LTS, ELS, or backport stream)Submission evidence: Contract excerpt + cadence of backported patches; track each patch in your SBOM updates.Maintained internal backport branch with documented patch processSubmission evidence: Branch ownership, patch process, and verification testing for each backported fix.Functional freeze (no new attack surface added to the legacy path)Submission evidence: Change-control evidence; PR template that blocks edits to the legacy module without security review.Exit plan with date - replacement design in progressSubmission evidence: Project plan with target date, owner, and risk acceptance until then.

What you'll see after you submit

Risk factors + controls → reviewer-ready compensating-controls memo

Frames the legacy component the way the FDA's TPLC guidance asks you to: risk, control, residual, exit plan.
Each compensating control comes with a clear submission-evidence line so you know exactly what to attach.
Markdown export drops straight into the cybersecurity risk-management report.

Common misconceptions

What teams usually get wrong

Myth: EOS components are an automatic submission blocker.

Reality: They aren't - but only if you document the residual risk and the compensating controls in a way the reviewer can verify. Hand-waving gets a deficiency letter.
Myth: A vendor LTS contract is enough on its own.

Reality: It's a strong control, but reviewers also want to see segmentation, monitoring, and an exit plan with a date.

References & further reading

Primary sources behind this tool

Why this tool is current

Recent regulatory + supply-chain activity

Tracked signals that change what reviewers expect. Items move on as new ones land.

Pair with

Legacy / End-of-Support Component Triage

Risk factors + controls → reviewer-ready compensating-controls memo

What teams usually get wrong

Primary sources behind this tool

Recent regulatory + supply-chain activity

Legacy device cybersecurity services

Threat Model Starter

Postmarket Cadence Calculator

Legacy / End-of-Support Component Triage

Risk factors + controls → reviewer-ready compensating-controls memo

What teams usually get wrong

Primary sources behind this tool

Recent regulatory + supply-chain activity

Make the memo defensible.

Legacy device cybersecurity services

Threat Model Starter

Postmarket Cadence Calculator