Level 5 CMMC - CMMC Practices

SI.1.210  

Reference: CMMC 1.02

Family: SI

Level Introduced: 1

Practice:
Identify, report, and correct information and information system flaws in a timely manner.

CMMC Clarification:
All software and firmware have potential flaws. Many vendors work to reduce those flaws by releasing vulnerability information and updates to their software and firmware. Organizations should have a process to review relevant vendor newsletters with updates about common problems or weaknesses. After reviewing the information the organization should execute a process called patch management that allows for systems to be updated without adversely affecting the organization. Organizations should also purchase support from their vendors to ensure timely access to updates.

Example
You have many responsibilities at your company, including IT. You know that malware, ransomware, and viruses can be a big problem for companies. You make sure to enable all security updates for your software, including the operating system and applications, and purchase the maintenance packages for new hardware and operating systems.

3.14.1

Identify, report, and correct system flaws in a timely manner.

Discussion:
Organizations identify systems that are affected by announced software and firmware flaws including potential vulnerabilities resulting from those flaws and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti-virus signatures. Organizations address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations can take advantage of available resources such as the Common Weakness Enumeration (CWE) database or Common Vulnerabilities and Exposures (CVE) database in remediating flaws discovered in organizational systems.

Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types of remediation.

[SP 800-40] provides guidance on patch management technologies.

Source: NIST Special Publication 800-171 Rev. 2

SI-2

FLAW REMEDIATION

Description:
The organization:
    a. Identifies, reports, and corrects information system flaws;
    b. Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
    c. Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and
    d. Incorporates flaw remediation into the organizational configuration management process.

Supplemental Guidance:
Organizations identify information systems affected by announced software flaws including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security responsibilities. Security-relevant software updates include, for example, patches, service packs, hot fixes, and anti-virus signatures. Organizations also address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations take advantage of available resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational information systems. By incorporating flaw remediation into ongoing configuration management processes, required/anticipated remediation actions can be tracked and verified. Flaw remediation actions that can be tracked and verified include, for example, determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types. Organizations determine the degree and type of testing needed for the specific type of flaw remediation activity under consideration and also the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software and/or firmware updates is not necessary or practical, for example, when implementing simple anti-virus signature updates. Organizations may also consider in testing decisions, whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures. Related controls: CA-2, CA-7, CM-3, CM-5, CM-8, MA-2, IR-4, RA-5, SA-10, SA-11, SI-11.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02