3.11.3 — Remediate Vulnerabilities in Accordance with Risk Assessments

Finding vulnerabilities is only half the job -- you have to actually fix them, and you should fix the most dangerous ones first. This practice says your remediation priority should be driven by your risk assessment, not just by whatever showed up most recently.

Example 1: After a Nessus scan, sort findings by CVSS score and cross-reference them with your risk assessment. A critical vulnerability on a system that processes CUI gets patched immediately. The same vulnerability on an isolated test machine with no CUI access can wait for the next maintenance window. Use your WSUS or SCCM console to push the patches and verify installation.

Example 2: In Microsoft Defender for Endpoint > Threat & Vulnerability Management > Remediation, create remediation requests tied to specific CVEs. Assign them to your IT team with deadlines based on severity -- 72 hours for critical, 30 days for medium. The portal tracks completion so you have evidence for your assessor.

Document your remediation decisions. If you accept a risk instead of fixing it, write down why and get leadership to sign off.