Standard for Supported Software


Document Control

Field

Details

Standard Owner

UW-IT CISO
Required Review UW VP for IT/CIO

Approval Authority

I&T Exec Com/board, CIO

Date of Issue

1/1/2026

Last Reviewed

1/1/2026

Next Review Date

1/1/2028

Document Number

APS 2.6.STN-3.03

Related Policies

Health Insurance Portability and Accountability Act; Family Educational Rights and Privacy Act; Gramm-Leach-Bliley Act; EO 63, APS 2.3, APS 2.6

 

Purpose

To ensure the confidentiality, integrity, and availability of University data and systems, all University-owned or managed devices must use only supported operating systems and software. This standard defines requirements, timelines, and exception process for maintaining supported software environments.

Scope

This standard applies to all University-owned or University-managed physical and virtual systems that store, process, or transmit University data, regardless of their physical location or funding source. UW Medicine entities are excluded and instead are subject to standards published by UW Medicine Information Technology Services.

Compliance date for Servers: June 30, 2026.

Compliance date for other Information Technology Devices: December 30, 2026.

Definitions

Information Technology Device: Any device, whether physical or virtual, capable of running an operating system or application software, including but not limited to servers, desktops, laptops, mobile devices, and virtual machines.

Server: An information technology device whose primary use is to provide services, data, or resources to other devices or users over a network. For the purpose of this standard, end user devices and Internet of Things devices are not servers.

Supported software: An operating system or other software, whether commercial or free, receiving regular or assured ongoing updates and maintenance. Software is considered unsupported when critical vulnerabilities in the software have been unaddressed by the vendor or maintainer for at least 90 days after disclosure.

Standard Requirements

Only supported operating systems and other software may be used on University Information Technology Devices.

Roles and Responsibilities

Role Responsibility 

Chief Information Security Officer (CISO) or their designees

 Reviewing exception requests and determining whether to approve exceptions

Chief Information Security Officer (CISO) or their designee

 Tracking all exception requests and exceptions in the Information Security Risk Registry
Chief Information Security Officer (CISO) or their designee Reviewing this standard consistent with its review schedule and making appropriate updates in collaboration with representatives from distributed University IT staff

Executive heads of major organizations or their designee

 Ensuring their information technology devices comply within the specified timelines

Executive heads of major organizations or IT Directors or equivalents

 Requesting exceptions

 

Compliance

  1. Exceptions
    1. Exception requests must be submitted to the CISO or their designee. Only executive heads of major organizational units or directors of IT or equivalent roles are authorized to initiate requests.
    2. Exception requests must be submitted at least 60 days prior to the requests effective date.
    3. All requests for exceptions must be submitted in writing, specifying the business justification, scope, approximate risk rating (low, medium, high) and proposed compensating controls or mitigation strategies.
    4. Exception requests must include a duration that must not exceed 12 months.
    5. Requests for a renewal of an exception must use the same process and must be submitted at least 60 days prior to expiration.
    6. Requests for exceptions must be documented in the Information Security Risk Registry.
  2. Failure to comply with this standard creates financial, organizational, and security risks for the University of Washington and may result in revocation of access to University IT systems or networks, loss of IT support, and disciplinary measures.

References

· None

Revision History

Date Description   Author/Editor
     

 

January 1, 2026

Andreas Bohman, VP & CIO