Level 5 CMMC - CMMC Practices


Reference: CMMC 1.02

Family: RM

Level Introduced: 2

Remediate vulnerabilities in accordance with risk assessments.

CMMC Clarification:
Review the prioritized list of vulnerabilities generated from the vulnerability scanner. Not all vulnerabilities may affect an organization the same. Review the risks of not remediating the discovered vulnerabilities. The organization should build upon the prioritized list and develop a prioritized mitigation plan for closing the vulnerabilities identified and track their completion.

You are in charge of IT at your organization. Part of your job is to look for weaknesses in your software that may provide ways for hackers to get into your network and do harm. You perform vulnerability scans to try and find these weaknesses. The output of a scan is a list of the potential weaknesses, also called vulnerabilities. You should review the vulnerabilities and determine how they will affect your organization. You should create a prioritized list of the vulnerabilities you should fix, fix them, and record a completion date and time by each item. If you decide not to fix them, you should document the reasoning, and you should continue to monitor these vulnerabilities.


Remediate vulnerabilities in accordance with risk assessments.

Vulnerabilities discovered, for example, via the scanning conducted in response to 3.11.2, are remediated with consideration of the related assessment of risk. The consideration of risk influences the prioritization of remediation efforts and the level of effort to be expended in the remediation for specific vulnerabilities.

Source: NIST Special Publication 800-171 Rev. 2



The organization:
    a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;
    b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
        1. Enumerating platforms, software flaws, and improper configurations;
        2. Formatting checklists and test procedures; and
        3. Measuring vulnerability impact;
    c. Analyzes vulnerability scan reports and results from security control assessments;
    d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and
    e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).

Supplemental Guidance:
Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). Related controls: CA-2, CA-7, CM-4, CM-6, RA-2, RA-3, SA-11, SI-2.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02