Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
(a) Measures the time between flaw identification and flaw remediation; and
(b) Establishes [Assignment: organization-defined benchmarks] for taking corrective actions.
NIST 800-53 (r4) Supplemental Guidance:
This control enhancement requires organizations to determine the current time it takes on the average to correct information system flaws after such flaws have been identified, and subsequently establish organizational benchmarks (i.e., time frames) for taking corrective actions. Benchmarks can be established by type of flaw and/or severity of the potential vulnerability if the flaw can be exploited.
NIST 800-53 (r5) Discussion:
Organizations determine the time it takes on average to correct system flaws after such flaws have been identified and subsequently establish organizational benchmarks (i.e., time frames) for taking corrective actions. Benchmarks can be established by the type of flaw or the severity of the potential vulnerability if the flaw can be exploited.
38North Guidance:
Meets Minimum Requirement:
Part a. Scan all assets within the current inventory within timeframes in accordance with RA-5 (a). Analyze the results of these automated scans to determine if the associated findings are legitimate or false positives. Add all legitimate findings to the POA&M for tracking and mitigation (refer to CA-5 for additional information). Track all mitigation timeframes on the POA&M and have associated tickets (or similar tracking mechanism) created as well, based on the date of discovery, with remediation timeframes in accordance with RA-5 (d). For vendor-provided security updates, measure and track the time between flaw identification (by vendor) and flaw remediation.
Part b. Adhere to remediation timeline requirements in accordance with RA-5 (d) timeframes. For vendor-provided security updates, adhere to the thirty (30) timeline requirement in accordance with SI-2.
Best Practice:
Do you ever see auditors actually ask for average time to remediate metrics, or are L/M/H scan finding/remediation tickets sufficient? No, they just sample L/M/H scan finding/remediation tickets.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Part a. Dates and time stamps within tickets (or similar documentation) and scanning solutions for system flaw identification and remediation activities. Average time measured between flaw identification and flaw remediation.
Part b. Tickets (or similar documentation) for low, moderate, and high/critical findings showing identified vulnerability scan issues and other flaw remediation issues are resolved within RA-5 (d) remediation timeframes and that vendor-provided security updates are tested and installed within thirty (30) days of release.
CSP Implementation Tips: None
Page updated
Report abuse