Reference: CMMC 2.11
Family: RA
Level Introduced: 2
Title: Vulnerability Remediation
Practice:
Remediate vulnerabilities in accordance with risk assessments.
CMMC Clarification:
Review the prioritized list of vulnerabilities generated from the vulnerability scanner. Not all vulnerabilities may affect an organization the same. Review the risks of not remediating the discovered vulnerabilities. The organization should build upon the prioritized list and develop a prioritized mitigation plan for closing the vulnerabilities identified and track their completion.
Example
You are in charge of IT at your organization. Part of your job is to look for weaknesses in your software that may provide ways for hackers to get into your network and do harm. You perform vulnerability scans to try and find these weaknesses. The output of a scan is a list of the potential weaknesses, also called vulnerabilities. You should review the vulnerabilities and determine how they will affect your organization. You should create a prioritized list of the vulnerabilities you should fix, fix them, and record a completion date and time by each item. If you decide not to fix them, you should document the reasoning, and you should continue to monitor these vulnerabilities.
Implementation Strategies
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
NIST 800-171 Requirements (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
NIST 800-53 Controls (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.