CMMC 2.0 • LEVEL 1 • SYSTEM & INFORMATION INTEGRITY

SI.L1-3.14.1Flaw Remediation

Identify, report, and correct system flaws. Install security-relevant software and firmware updates within within 72 hours of discovery or vendor notificationCMMC/STIG of the release of the updates.

NIST 800-171 Mapping

NIST 800-53 Controls

SI-2SI-3SI-5

Assessment Objectives

  • system flaws are identified.
  • system flaws are reported.
  • system flaws are corrected.
  • security-relevant software updates are installed within within 72 hours of discovery or vendor notificationCMMC/STIG of the release of the updates.
  • security-relevant firmware updates are installed within critical (CVSS 9.0–10.0): 15 days; high (CVSS 7.0–8.9): 30 days; moderate (CVSS 4.0–6.9): 60 days; low: 90 daysCMMC/STIG of the release of the updates.

Practitioner Notes

Practitioner commentary coming soon.

Related CMMC 2.0 Practices

SI.L2-3.14.2 Malicious Code Protection SI.L2-3.14.3 Security Alerts, Advisories, and Directives SI.L2-3.14.4 Update Malicious Code Protection Mechanisms When New Releases Are Available SI.L2-3.14.5 Perform Periodic Scans of Organizational Systems and Real-Time Scans of Files from External Sources