CCI-002608

Establish organization-defined benchmarks for the time taken to apply corrective actions after flaw identification.

Implementation Guidance

Determine if [SI-02(03)_ODP; the benchmarks for taking corrective actions are defined] for taking corrective actions have been established.

Validation Procedures

Examine: [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing flaw remediation; system design documentation; system configuration settings and associated documentation; list of benchmarks for taking corrective action on identified flaws; records that provide timestamps of flaw identification and subsequent flaw remediation activities; system security plan; other relevant documents or records]. Interview: [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for flaw remediation]. Test: [SELECT FROM: Organizational processes for identifying, reporting, and correcting system flaws; mechanisms used to measure the time between flaw identification and flaw remediation].

The controls below (if any) were marked by NIST as being related to CCI-002608.