NIST 800-53 REV 5 • SYSTEM AND INFORMATION INTEGRITY

SI-2(3)Time to Remediate Flaws and Benchmarks for Corrective Actions

Measure the time between flaw identification and flaw remediation; and Establish the following benchmarks for taking corrective actions: {{ insert: param, si-02.03_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Organizations determine the time it takes on average to correct system flaws after such flaws have been identified and subsequently establish organizational benchmarks (i.e., time frames) for taking corrective actions. Benchmarks can be established by the type of flaw or the severity of the potential vulnerability if the flaw can be exploited.

Practitioner Notes

Set specific remediation timelines and benchmarks — how quickly must different severity levels of vulnerabilities be fixed?

Example 1: Define a patch SLA in your security policy: critical vulnerabilities within 72 hours, high within 14 days, medium within 30 days, low within 90 days. Track these timelines in your vulnerability management tool and report compliance to leadership monthly.

Example 2: Use your SIEM or vulnerability management platform to create dashboards showing time-to-remediation metrics. Track the average number of days to patch by severity level. If you are consistently missing your benchmarks, investigate whether you need more patching resources or better processes.

More System and Information Integrity Controls

SI-1 Policy and Procedures SI-2 Flaw Remediation SI-2(1) Central Management SI-2(2) Automated Flaw Remediation Status