Critical and high CVEs are patched within 14 days; all others within 30 days
The majority of successful compromises exploit vulnerabilities that already have patches available. Attackers actively scan for unpatched systems within days of a CVE being published; the window between public disclosure and active exploitation has compressed to hours for critical vulnerabilities. Defining explicit SLAs for patching based on severity forces prioritization and creates accountability. Without a documented SLA, patching becomes ad hoc and backlogs grow silently.
Implementation steps
- 1
Define and document patch management SLAs by severity
Write a formal patch management policy stating the maximum time allowed between patch availability and deployment by severity: critical CVEs within 7 days, high CVEs within 14 days, medium within 30 days, low within 90 days. For CISA KEV entries, use the CISA-specified due date regardless of CVSS score. Get the policy approved by a manager or security lead.
confluence notion google-docs - 2
Automate OS and application patching on endpoints
Configure your MDM or patch management platform to automatically deploy OS security updates to endpoints. For Windows, use Windows Update for Business or Intune to enforce updates within your SLA window. For macOS, use Jamf Pro or Kandji. Enable auto-update for common high-risk applications: browsers, PDF readers, and office suites are frequent exploitation targets.
microsoft-intune jamf kandji wsus - 3
Track patching compliance and generate SLA exception reports
Run weekly reports showing devices that have not received a patch within the required window. Any device out of SLA compliance should generate a ticket automatically. Review the report in a recurring security meeting. Devices that consistently cannot be patched due to operational constraints should be isolated or have compensating controls applied.
microsoft-intune jamf tenable qualys drata
Evidence required
Patch management policy with defined SLAs
A documented policy showing remediation timeframes by CVE severity.
- - Patch management policy document with severity-based timelines
- - MDM patch compliance report showing current patch levels across all devices
- - Vulnerability scanner report showing open vulnerabilities with age
Related controls
Full-disk encryption is enforced on all endpoints and portable storage
Device Security
An inventory of authorized hardware and software assets is maintained
Device Security
Devices are configured securely with hardened baselines
Device Security
Network segmentation isolates critical systems
Device Security