Navigate

SI-2 (3)

SI-2 (3): Time To Remediate Flaws / Benchmarks For Corrective Actions

The organization:

SI-2 (3)(a): Measures the time between flaw identification and flaw remediation; and

SI-2 (3)(b): Establishes [Assignment: organization-defined benchmarks] for taking corrective actions.

Supplemental

This control enhancement requires organizations to determine the current time it takes on the average to correct information system flaws after such flaws have been identified, and subsequently establish organizational benchmarks (i.e., time frames) for taking corrective actions. Benchmarks can be established by type of flaw and/or severity of the potential vulnerability if the flaw can be exploited.

CIA Levels
Confidentiality	unknown
Integrity	low
Availability	unknown

Overlays
None

Related Controls

The controls below (if any) were marked by NIST as being related to SI-2 (3).

Control	Description
No controls

Enhancements

The controls below (if any) add on to the requirements of SI-2 (3).

Control	Description
No controls

Related CCIs

The CCIs below are tied to SI-2 (3).

CCI	Definition
CCI-001235	The organization measures the time between flaw identification and flaw remediation.
CCI-001236	The organization defines benchmarks for the time taken to apply corrective actions after flaw identification.
CCI-002608	The organization establishes organization-defined benchmarks for the time taken to apply corrective actions after flaw identification.