Micro Focus Clarification for Nov 1, 2019 “Product Support Lifecycle – Notice of Policy Update”

March 2020

To Whom It May Concern,

You are receiving this communication because you are listed as your company's contact for a subscription ID (previously known as Support Agreement ID) that includes at least one of the ArcSight products this communication is about. Should you no longer be your company's contact for subscription ID(s), please contact your Micro Focus Representative or Micro Focus Business Partner to request the subscription ID(s) to be updated.

If you require information about the name of your Renewals Sales or Customer Subscription name, you can use chat functionality in My Support portal as well as inbound telephone numbers here.

On November 1, 2019, Micro Focus announced a change in its support policies that aligned most of the former HPE-Software products with Micro Focus’ established support framework. ArcSight was one of the products affected by this change. This letter is to help our ArcSight family better understand the changes and the potential impacts. For more information, please visit our support lifecycle website for all the policy details.

One change our customers will see is that as long as a customer is current on maintenance, they will not be denied access to Technical Support. Customers will be able to contact Technical Support and the engineers will provide best effort support in resolving the issue. Technical Support will work with customers to demonstrate the value in upgrading to the latest version and work on upgrading their environment if they choose to do so. Further, access to Self-help resources will no longer have an end-date associated with them.

The most notable change will be concerning support situations where hotfixes, patches, etc. are required. Effective November 1, 2019 and retroactive to all ArcSight components, unless otherwise stated on the support lifecycle website, we will follow the program outlined below

Committed Support – This is the period during which an Arcsight component receives engineering support.  Arcsight will divide its Committed Support period into three phases:

Committed Support Year 1: This is the first twelve-months from GA. During this time the ArcSight product team will provide hotfixes, patches, Service Packs, security vulnerability remediation, etc. as deemed appropriate and necessary.

Committed Support Year 2: This is the second twelve-month period from GA. During this time the ArcSight product team, working with our Technical Support, and product security team, will issue patches only in the following situations.

• Presence of a verified Severity 1 or Severity 2 issue identified and categorized by Technical Support.
• Confirmed security vulnerability with a criticality of seven, or higher, as scored in the NIST National Vulnerability Database.
• Responsible researcher reports a new vulnerability
   

Committed Support Year 3: This is the third twelve-month period from GA. During this time, the only patches issued will be for the following:

• Confirmed security vulnerability with a criticality of seven, or higher, as scored in the NIST National Vulnerability Database
• Responsible researcher reports a new vulnerability that can be reasonably remediated within the remaining time of Committed Support
   

Once the Committed Support period ends, the code-base is forever closed and no further issues for that version are logged or addressed. ArcSight customers are encouraged to make sure that their upgrade plans accommodate this change.

I do wish to point out that we will be following a unique variation concerning ESM. We synchronized the end of Committed Support dates for ESM releases v 6.11 – 7.0 P2. This has been done for a variety of reasons and should help most of our customers in their transitions. ESM versions 6.8 – 6.9 are considered in Committed Support Year 3 effective as of Nov 1, 2019. All versions prior to ESM v6.8 are considered to be at the end of Committed Support.

Logger versions 6.7x will follow this new model effective with the GA of Logger 7.0. Logger v. 6.5x – 6.6 are considered in Committed Support Year 3 effective from November 1, 2019

These are unique situations.  All other component information should be found on our support lifecycle website.

Customers have inquired as to why we are implementing this change. In the case of ArcSight, it is because ArcSight is a living product with many exciting changes planned for 2020 and beyond. While every business has unique considerations, we have found that in general organizations plan their update calendars for their critical business systems based on the vendor’s support policy. We know that we are not the only vendor in the organization’s security operations program, and that customers need time. In addition, this new policy aligns with our supported upgrade paths, striking the best balance between our customer’s need to plan, staying current, and not falling so far behind that upgrades are needlessly complicated creating “no win” situations for all involved.

Finally, If you were a customer who happened to see the support website between November 1, 2019 – and January 31,2020, please go and revisit the site if you have not recently done so. Some errors in the initial positing have been corrected.

Of course should you have any questions or concerns not addressed by either this letter or the information provided on our website, than please reach out to us, and we will be happy to address as quickly as possible.

Respectfully,