SI-2(3)
SI-2(3): Time to Remediate Flaws / Benchmarks for Corrective Actions
The organization:
- (a): Measures the time between flaw identification and flaw remediation; and
- (b): Establishes [organization-defined benchmarks] for taking corrective actions.
Supplemental
This control enhancement requires organizations to determine the current time it takes on the average to correct information system flaws after such flaws have been identified, and subsequently establish organizational benchmarks (i.e., time frames) for taking corrective actions. Benchmarks can be established by type of flaw and/or severity of the potential vulnerability if the flaw can be exploited.
CIA Levels | |
---|---|
Confidentiality | unknown |
Integrity | high |
Availability | unknown |
Overlays |
---|
None |
CSF Categories |
---|
None |