Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization centrally manages the flaw remediation process.
NIST 800-53 (r4) Supplemental Guidance:
Central management is the organization-wide management and implementation of flaw remediation processes. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw remediation security controls.
NIST 800-53 (r5) Discussion:
[Withdrawn: Incorporated into PL-9.]
38North Guidance:
Meets Minimum Requirement:
Utilize some mechanism (e.g., service, tool, ticketing system, etc.) to plan, implement, assess, authorize, and monitor flaw remediation related to vulnerability scanning and relevant vendor releases.
Best Practice:
CSPs typically utilize ticketing systems (e.g., Jira, ServiceNow, GHE, etc.) to integrate with scanning systems to create and assign tickets based on defined ownership mappings.
Implement a centralized tool, ideally a SIEM but potentially a native vulnerability scanner dashboard, for tracking and visualizing findings and for tracking trends.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Tickets (or similar documentation) for low, moderate, and high/critical findings that track identified issues from scanners within the central mechanism (e.g., ticketing system) until remediation.
The 3PAO may also request that the CSP log into and show that vendor-related security updates have been tested in a test environment and then applied in the production. An example could be a screen shot or export of Microsoft's SCCM solution or evidence of previous and current Infrastructure-as-Code iterations showing where a system was patched and then deployed and a delta was created as evidence.
CSP Implementation Tips: None
Page updated
Report abuse