CCI-001228

The organization tests software updates related to flaw remediation for effectiveness before installation.

Implementation Guidance

The organization being inspected/assessed documents and implements a process to test software updates related to flaw remediation for effectiveness before installation. If the software update is being provided by a vendor who has documented the effectiveness of the update in fixing the affected IAVM/CVE, further testing by the organization may not be required.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented process and test results to ensure the organization being inspected/assessed tests software updates related to flaw remediation for effectiveness before installation.

Compelling Evidence

1.) Signed and dated System security plan (SSP). 2.) Continuous monitoring plan. 3.) Reference to system security plan and continuous monitoring plan sections pertaining to the process for testing software updates. 4.) Signed and dated testing process logs.

The controls below (if any) were marked by NIST as being related to CCI-001228.