CCI-001060

Defines response times for remediating legitimate vulnerabilities in accordance with an organization assessment of risk.

Implementation Guidance

Determine if legitimate vulnerabilities are remediated [RA-05_ODP[03]; response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined] in accordance with an organizational assessment of risk.

Validation Procedures

Examine: [SELECT FROM: Risk assessment policy; procedures addressing vulnerability scanning; risk assessment; assessment report; vulnerability scanning tools and associated configuration documentation; vulnerability scanning results; patch and vulnerability management records; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with risk assessment, control assessment, and vulnerability scanning responsibilities; organizational personnel with vulnerability scan analysis responsibilities; organizational personnel with vulnerability remediation responsibilities; organizational personnel with security responsibilities; system/network administrators]. Test: [SELECT FROM: Organizational processes for vulnerability scanning, analysis, remediation, and information sharing; mechanisms supporting and/or implementing vulnerability scanning, analysis, remediation, and information sharing].

The controls below (if any) were marked by NIST as being related to CCI-001060.