Navigate

CCI-001225

CCI-001225 Definition

The organization identifies information system flaws.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed documents and implements a process to identify information system flaws. The process shall include review of the system through automated scans and manual checks to determine the existence of flaws such as IAVM, CVE, or other resources.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed identifies information system flaws.

Compelling Evidence

1.) Signed and dated System security plan (SSP) with a reference to the section that pertains to how information system flaws are to be identified (scans, manual checks, integrity monitor, etc.…)

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-001225.

Control	Description
SI-2	The organization: SI-2a.: Identifies, reports, and corrects information system flaws; SI-2b.: Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; SI-2c.: Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and SI-2d.: Incorporates flaw remediation into the organizational configuration management process.

Control

Description

SI-2

The organization:

SI-2a.: Identifies, reports, and corrects information system flaws;

SI-2b.: Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;

SI-2c.: Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and

SI-2d.: Incorporates flaw remediation into the organizational configuration management process.