SI-02-727 Flaw Remediation

Flaw Remediation

SI-02-727
Flaw Remediation
System and Information Integrity
LOW, MOD, HIGH
P1
Yes
May 20, 2016
All flaws in Agency information resources are identified by a custodian or user, tracked in a centralized incident management system (for remediation of internal applications) or patch management system (for remediation of commercially procedured applications), and remediated within 90 days of the release of the updates by the vendor.
Security vulnerabilities may not be identified timely.
The organization: a. Identifies, reports, and corrects information system flaws; b. Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; c. Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and d. Incorporates flaw remediation into the organizational configuration management process.
System flaws are tracked in a central repository for anticipated corrective actions.
The state organization identifies, reports, and corrects information system flaws.
Obtain system and information integrity policy; procedures addressing flaw remediation; NIST Special Publication 800-40; list of flaws and vulnerabilities potentially affecting the information system; list of recent security flaw remediation actions performed on the information system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct information system flaws); test results from the installation of software to correct information system flaws; automated mechanisms supporting flaw remediation; information system design documentation; information system configuration settings and associated documentation; list of information system flaws; information system audit records; other relevant documents or records and ascertain if: (I)the organization identifies, reports, and corrects information system flaws. (ii)the organization installs newly released security patches, service packs, and hot fixes on the information system in a reasonable timeframe in accordance with organizational policy and procedures. (iii)the organization addresses flaws discovered during security assessments, continuous monitoring, or incident response activities in an expeditious manner in accordance with organizational policy and procedures. (iv)the organization tests information system patches, service packs, and hot fixes for effectiveness and potential side effects before installation. (v)the organization captures all appropriate information pertaining to the discovered flaws in the information system, including the cause of the flaws, mitigation activities, and lessons learned. (vi)the organization employs automated mechanisms to periodically and upon demand determine the state of information system components with regard to flaw remediation.