Windows 10 End of Life Support: Why It Matters for CMMC and What to Do Next

Summit 7 is committed to ensuring the systems we manage remain secure, reliable, and compliant with all relevant regulations. Microsoft is ending support for Windows 10 in October 2025, so Summit 7 is recommending everyone upgrade to the latest supportable version. 

This technical bulletin will address the importance of upgrading Microsoft Windows 10 to Windows 11. 

This upgrade is crucial for maintaining security best practices and compliance with CMMC and NIST SP 800-171 with the timely application of security patches. 

Compliance Risk 

While multiple controls in NIST SP 800-171 (NIST SP 800-171 Rev. 2) address the importance of patching, the following domain and control is the most relevant for this technical bulletin. 

3.14 SYSTEM AND INFORMATION INTEGRITY 

3.14.1 – Identify, report, and correct system flaws in a timely manner. 

“Organizations identify systems that are affected by announced software and firmware flaws including potential vulnerabilities resulting from those flaws and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti-virus signatures…” 

Microsoft follows a fixed or modern lifecycle policy for its products, providing updates during mainstream and extended support phases (Microsoft Windows version support lifecycle). Once a version reaches end-of-life (EOL), it no longer receives security patches. This creates significant risks for organizations, particularly those handling CUI, as unsupported systems are vulnerable to exploitation by malicious actors. 

Security Risk 

In addition to the compliance risks, there are security risks addressed by staying on a supported version. The security risks associated with running unsupported versions include: 

• Security Vulnerabilities: Without patches, systems are exposed to known security flaws that can be exploited, increasing the likelihood of data breaches, ransomware, and other cyberattacks. 

• Operational Disruptions: Outdated systems are more prone to failures and downtime, impacting productivity and business continuity. The lack of updates also increases the risk of system instability, further compounding operational risks. 

Current Status: Supported and Unsupported Versions 

See the table below for Windows Client lifecycle support. 

NOTE: Microsoft offers an ‘Extended Security Updates (ESU) program for Windows 10’; see link in the References section below for more details. 

Guardian for M365 Support 

Summit 7’s Guardian for Microsoft 365 service includes upgrades of these workstations at no additional cost. Your Guardian support team will evaluate your environment to identify and upgrade Windows 10 systems. Post upgrade support is available for the operating system and commercial off-the-shelf (COTS) applications. 

If you want to talk to someone on our team about how Guardian can support your environment, fill out the form below and we will be in touch shortly. 

References 

• NIST Special Publication SP 800-171 Rev. 2
• Microsoft Windows version support lifecycle
• Extended Security Updates (ESU) program for Windows 10 | Microsoft Learn