As far as I'm aware, we don't have a documented policy on minimum versions of third party packages that we must support.
In practice, the versions that we do support are set in the EUPS pseudo-packages:
We ought to (but do not necessarily) rigorously check that all code we commit works with those versions. (In practice, I suspect almost everybody is running with at least Astropy 1.2.1, per the original post, so we might well have already violated that constraint.)
Upgrading the versions of third party packages would indeed require an RFC. In our current mode of operation, I don't think it needs a heavier-weight process than that. However, I would expect discussion on that RFC to focus not just on how great the new version is, but also on the disruption caused by the update.
While obviously the Conda environments (and hence Jenkins, shared stacks, etc) have to track at least the minimum version specified in the pseudo-packages, I'm not sure whether we ought to require that they be the same as. Certainly, we don't at the moment. Opinions on this welcome.