Navigate

CCI-001227

CCI-001227 Definition

The organization corrects information system flaws.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed corrects information system flaws within the time period directed by an authoritative source (e.g. IAVM, CTOs, DTMs, STIGs). The organization documents the corrections on their POA&M. DoD has defined the time period as within the time period directed by an authoritative source (e.g. IAVM, CTOs, DTMs, STIGs).

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the information system POA&M and examines the information system to ensure the organization being inspected/assessed corrects information system flaws.

Compelling Evidence

1.) Signed and dated System security plan (SSP) with a reference to the section that pertains to how system flaws are fixed or mitigated.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-001227.

Control	Description
SI-2	The organization: SI-2a.: Identifies, reports, and corrects information system flaws; SI-2b.: Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; SI-2c.: Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and SI-2d.: Incorporates flaw remediation into the organizational configuration management process.

Control

Description

SI-2

The organization:

SI-2a.: Identifies, reports, and corrects information system flaws;

SI-2b.: Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;

SI-2c.: Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and

SI-2d.: Incorporates flaw remediation into the organizational configuration management process.