Navigate

CCI-001289

CCI-001289 Definition

The organization implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.

Validation Procedures

The organization conducting the inspection/assessment examines the information system and obtains and examines records of compliance and/or non-compliance reporting to ensure that security directives have been implemented in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.

Compelling Evidence

1.) Signed and dated System security plan documents how it implements security directives within established time frames (this includes documenting the time frames by severity level) and defines how it notifies organization issuing the security directives of noncompliance.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-001289.

Control	Description
SI-5	The organization: SI-5a.: Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis; SI-5b.: Generates internal security alerts, advisories, and directives as deemed necessary; SI-5c.: Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and SI-5d.: Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.

Control

Description

SI-5

The organization:

SI-5a.: Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis;

SI-5b.: Generates internal security alerts, advisories, and directives as deemed necessary;

SI-5c.: Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and

SI-5d.: Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.