NIST 800-53 REV 5 • SYSTEM AND INFORMATION INTEGRITY

SI-2(5)Automatic Software and Firmware Updates

Install {{ insert: param, si-02.05_odp.01 }} automatically to {{ insert: param, si-02.05_odp.02 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Due to system integrity and availability concerns, organizations consider the methodology used to carry out automatic updates. Organizations balance the need to ensure that the updates are installed as soon as possible with the need to maintain configuration management and control with any mission or operational impacts that automatic updates might impose (i.e., implementing a staggered deployment strategy).

Practitioner Notes

Enable automatic software and firmware updates where feasible, so systems receive critical security fixes without waiting for manual deployment.

Example 1: Configure Windows Update for Business policies via Intune to automatically install security updates with a short deferral period (e.g., 3 days for quality updates). This ensures machines get patches quickly while allowing a brief window to catch bad updates.

Example 2: Enable automatic firmware updates on your firewall appliances for critical security patches. Palo Alto, Fortinet, and other vendors offer automatic threat content updates (signatures, definitions) that should be applied as soon as they are available.

More System and Information Integrity Controls

SI-1 Policy and Procedures SI-2 Flaw Remediation SI-2(1) Central Management SI-2(2) Automated Flaw Remediation Status