Identify, report, and correct information system flaws in a timely manner
Software vulnerabilities are a primary entry point for attackers. Unpatched systems with known vulnerabilities are routinely exploited within days or weeks of a patch being publicly available. Organizations must have a process for discovering vulnerabilities in their systems, prioritizing them by severity, and applying patches or mitigations within a defined timeframe. Critical vulnerabilities should be remediated faster than routine patches.
Implementation steps
- 1
Implement vulnerability scanning
Deploy a vulnerability scanner to regularly scan all systems in scope for FCI. Run authenticated scans that log into systems and report vulnerabilities in installed software, not just externally visible issues. Schedule scans at least monthly, or more frequently for internet-facing systems.
tenable qualys rapid7 openvas crowdstrike-falcon-spotlight - 2
Establish patch management processes
Define patching windows and SLAs by severity: for example, critical vulnerabilities patched within 14 days, high within 30 days, medium within 90 days. Use a patch management system to deploy patches automatically where possible and track patch compliance across your environment.
wsus intune jamf ansible chef - 3
Prioritize and track remediation
Create a process to triage vulnerability scan results, prioritize by CVSS score and exploitability, and assign remediation tickets. Track open vulnerabilities and their remediation status. Escalate vulnerabilities that are approaching or past their SLA. Document accepted risks for vulnerabilities that cannot be immediately patched.
jira servicenow tenable qualys - 4
Subscribe to security advisories
Subscribe to vulnerability notifications from CISA (US-CERT), software vendors for all products in your environment, and the National Vulnerability Database. When critical vulnerabilities are announced, assess your exposure immediately rather than waiting for the next scheduled scan.
Evidence required
Vulnerability scan reports
Recent vulnerability scan results covering in-scope systems.
- - Tenable or Qualys scan reports
- - Automated scanning schedule configuration
Patch management policy and SLAs
Written policy defining patching timelines by severity.
- - Patch management policy with SLA table
- - Vulnerability remediation SLA documentation
Patch compliance evidence
Evidence showing that patches are being applied within defined SLAs.
- - Patch compliance dashboard
- - Remediation tracking tickets
- - Before/after scan comparison showing vulnerability closure
Related controls
Update malware protection mechanisms when new releases are available
Malware Protection
Provide protection from malicious code at appropriate locations
Malware Protection
Perform periodic system scans and real-time scans of files from external sources
System Scanning