SI 2 FLAW REMEDIATION - NIST-SP-800-53-R5/NIST-SP-800-53-R5.github.io GitHub Wiki

Control:

• a. Identify, report, and correct system flaws;
• b. Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
• c. Install security-relevant software and firmware updates within [ Assignment: organization-defined time period ] of the release of the updates; and
• d. Incorporate flaw remediation into the organizational configuration management process.

Discussion: The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified.

Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system, the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw), the organizational risk tolerance, the mission supported by the system, or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, such as when implementing simple malicious code signature updates. In testing decisions, organizations consider whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures.

Related Controls: CA-5 , CM-3 , CM-4 , CM-5 , CM-6 , CM-8 , MA-2 , RA-5 , SA-8 , SA-10 , SA-11 , SI-3 , SI-5 , SI-7 , SI-11.

Control Enhancements:

• (1) FLAW REMEDIATION / CENTRAL MANAGEMENT
  [Withdrawn: Incorporated into PL-9 .]

• (2) FLAW REMEDIATION / AUTOMATED FLAW REMEDIATION STATUS
  Determine if system components have applicable security-relevant software and firmware updates installed using [ Assignment: organization-defined automated mechanisms ] [ Assignment: organization-defined frequency ].

  Discussion: Automated mechanisms can track and determine the status of known flaws for system components.

  Related Controls: CA-7 , SI-4.

• (3) FLAW REMEDIATION / TIME TO REMEDIATE FLAWS AND BENCHMARKS FOR CORRECTIVE ACTIONS
  

  • (a) Measure the time between flaw identification and flaw remediation; and
  • (b) Establish the following benchmarks for taking corrective actions: [ Assignment: organization-defined benchmarks ].

  Discussion: Organizations determine the time it takes on average to correct system flaws after such flaws have been identified and subsequently establish organizational benchmarks (i.e., time frames) for taking corrective actions. Benchmarks can be established by the type of flaw or the severity of the potential vulnerability if the flaw can be exploited.

  Related Controls: None.

• (4) FLAW REMEDIATION / AUTOMATED PATCH MANAGEMENT TOOLS
  Employ automated patch management tools to facilitate flaw remediation to the following system components: [ Assignment: organization-defined system components ].

  Discussion: Using automated tools to support patch management helps to ensure the timeliness and completeness of system patching operations.

  Related Controls: None.

• (5) FLAW REMEDIATION / AUTOMATIC SOFTWARE AND FIRMWARE UPDATES
  Install [ Assignment: organization-defined security-relevant software and firmware updates ] automatically to [ Assignment: organization-defined system components ].

  Discussion: Due to system integrity and availability concerns, organizations consider the methodology used to carry out automatic updates. Organizations balance the need to ensure that the updates are installed as soon as possible with the need to maintain configuration management and control with any mission or operational impacts that automatic updates might impose.

  Related Controls: None.

• (6) FLAW REMEDIATION / REMOVAL OF PREVIOUS VERSIONS OF SOFTWARE AND FIRMWARE
  Remove previous versions of [ Assignment: organization-defined software and firmware components ] after updated versions have been installed.

  Discussion: Previous versions of software or firmware components that are not removed from the system after updates have been installed may be exploited by adversaries. Some products may automatically remove previous versions of software and firmware from the system.

  Related Controls: None.

References: [OMB A-130], [FIPS 140-3], [FIPS 186-4], [SP 800-39], [SP 800-40], [SP 800-128], [IR 7788].