Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
(a) Receives information system security alerts, advisories, and directives from [FedRAMP Assignment: (L)(M)(H) to include US-CERT] on an ongoing basis;
(b) Generates internal security alerts, advisories, and directives as deemed necessary;
(c) Disseminates security alerts, advisories, and directives to: [FedRAMP Assignment: (L)(M)(H) to include system security personnel and administrators with configuration/patch-management responsibilities]; and
(d) Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.
NIST 800-53 (r4) Supplemental Guidance:
The United States Computer Emergency Readiness Team (US-CERT) generates security alerts and advisories to maintain situational awareness across the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance to security directives is essential due to the critical nature of many of these directives and the potential immediate adverse effects
on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include, for example, external mission/business partners, supply chain partners, external service providers, and other peer/supporting organizations. Related control: SI-2.
References: NIST Special Publication 800-40.
NIST 800-53 (r5) Discussion:
The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the Federal Government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance with security directives is essential due to the critical nature of many of these directives and the potential (immediate) adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations.
38North Guidance:
Meets Minimum Requirement:
Subscribe to US-CERT's advisory listings: https://us-cert.cisa.gov/mailing-lists-and-feeds. Ensure notifications are sent to key security roles (e.g., Service Team Lead, Security leads, CISO, etc).
Best Practice:
Subscribe to the relevant CSP Security Advisory Mailing lists.
Subscribe to US-CERT's advisory listings: https://us-cert.cisa.gov/mailing-lists-and-feeds.
Subscribe to industry security newsletters, subscription lists, and software update news releases. Subscribe to updates for all operating systems, offerings, and technology deployed in the environment.
Monitor organizational communications (e.g., Microsoft Teams, Slack, etc.) for announcements of critical vulnerabilities requiring immediate attention.
Ensure notifications are sent to key security roles (e.g., Service Team Lead, Security leads, CISO, etc)
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Sample email alert from CSP Security Advisory mailing list.
Sample email alert from US-CERT.
Screenshots of e-mail notifications and subscriptions of industry security newsletters, subscription lists, software update news releases, security alerts, advisories, and directives to Security Teams, Service team security leads, etc.
Show tickets of security alert directive implementation.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse