03.14.01: Flaw Remediation
Control Familly: System and Information Integrity
SPRS: N/A
Top Ten Failed Requirement: N/A
Supporting Publications:
SP 800-39 [60]
SP 800-40 [56]
SP 800-128 [41]
Referenced in: N/A
Control Type: N/A
CPCSC Level 2: 03.14.01
CMMC Level(s): N/A
Derived From: NIST SP 800-53r5
SI-02
a. Identify, report, and correct system flaws.
b. Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates.
Discussion:
Organizations identify systems that are affected by announced software and firmware flaws, including potential vulnerabilities that result from those flaws, and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti-virus signatures. Organizations address the flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations can take advantage of available resources (e.g., CWE or CVE databases) when remediating system flaws. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors, including the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types.
Assessment Methods and Objectives
Examine [SELECT FROM: system and information integrity policy and procedures; procedures for flaw remediation; procedures for configuration management; list of recent security flaw remediation actions performed on the system; list of flaws and vulnerabilities that may potentially affect the system; test results from the installation of software and firmware updates to correct system flaws; installation and change control records for security-relevant software and firmware updates; system security plan; other relevant documents or records]
Interview [SELECT FROM: personnel responsible for installing, configuring, or maintaining the system; personnel responsible for flaw remediation; personnel with configuration management responsibilities; personnel with information security responsibilities; system administrators]
Test [SELECT FROM: processes for identifying, reporting, and correcting system flaws; processes for installing software and firmware updates; mechanisms for supporting or implementing the reporting and correction of system flaws; mechanisms for supporting or implementing the testing software and firmware updates]
NIST SP 800-171A r3 Determining Statements Determine if:
A.03.14.01.ODP[01]: the time period within which to install security-relevant software updates after the release of the updates is defined.
A.03.14.01.ODP[02]: the time period within which to install security-relevant firmware updates after the release of the updates is defined.
A.03.14.01.a[01]: system flaws are identified.
A.03.14.01.a[02]: system flaws are reported.
A.03.14.01.a[03]: system flaws are corrected.
A.03.14.01.b[01]: security-relevant software updates are installed within <A.03.14.01.ODP[01]: time period> of the release of the updates.
A.03.14.01.b[02]: security-relevant firmware updates are installed within <A.03.14.01.ODP[02]: time period> of the release of the updates.
The Security Requirements
NIST SP 800-171r3 (USA) & ITSP.10.171 (Canada)
3.5. Identification and Authentication
3.12. Security Assessment and Monitoring
3.13. System and Communications Protection
3.14. System and Information Integrity
3.16. System and Services Acquisition
3.17. Supply Chain Risk Management
CMMC 3.0 - N/A
CPCSC - N/A