We are certainly sensitive to not wanting to break existing solutions that are in production, and I assure you we take every measure we can to avoid that whenever possible. That being said, we simply can’t state that existing solutions will not incur a charge to continue to support.
There are two major scenarios where I see this occurring.
The first is when IT Security crafts new policies in response to emerging threats or best practices. When this occurs we will respond with whatever measures IT Security dictates. If this breaks an existing service, it will be up to IT Security to consider exceptions or recommend remediation measures on a case by case basis. Such measures will likely incur a charge as it requires crafting a “one-off” solution that is outside of current security practices.
With respect to “grandfathering” when vulnerabilities exist in services, all vulnerabilities must be addressed within the time-frames described in the Vulnerability Management Program Component which is published at http://it.unm.edu/security/program/components
The other scenario is a result of the continuing evolution of technology. Just as we’ve had to upgrade from FDDI and Token Ring to Ethernet, there will no doubt be future standards that require upgrades in order to maintain a standardized environment.