SA9: Operating system and application patches must be current and supported by the vendor or Open Source project, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).