PR.PS-02 focuses on maintaining, replacing, or removing software based on risk, including timely patching, updating container images, and phasing out end-of-life versions. This ensures software remains supported and secure, reducing vulnerabilities from outdated or unauthorized applications. It includes plans for obsolescence to manage lifecycle risks.

This subcategory strengthens resilience by uninstalling unnecessary or risky software components that could be exploited, aligning updates with vulnerability management timelines. It balances security with operational needs, ensuring only current, necessary software persists. PR.PS-02 keeps the software environment lean and protected.