SI 5 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES - NIST-SP-800-53-R5/NIST-SP-800-53-R5.github.io GitHub Wiki

SI-5 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES

Control:

  • a. Receive system security alerts, advisories, and directives from [ Assignment: organization-defined external organizations ] on an ongoing basis;
  • b. Generate internal security alerts, advisories, and directives as deemed necessary;
  • c. Disseminate security alerts, advisories, and directives to: [ Selection (one or more): [ Assignment: organization-defined personnel or roles ]; [ Assignment: organization-defined elements within the organization ]; [ Assignment: organization-defined external organizations ]]; and
  • d. Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance.

Discussion: The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the Federal Government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance with security directives is essential due to the critical nature of many of these directives and the potential (immediate) adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations.

Related Controls: PM-15 , RA-5 , SI-2.

Control Enhancements:

  • (1) SECURITY ALERTS, ADVISORIES, AND DIRECTIVES / AUTOMATED ALERTS AND ADVISORIES
    Broadcast security alert and advisory information throughout the organization using [ Assignment: organization-defined automated mechanisms ].

    Discussion: The significant number of changes to organizational systems and environments of operation requires the dissemination of security-related information to a variety of organizational entities that have a direct interest in the success of organizational mission and business functions. Based on information provided by security alerts and advisories, changes may be required at one or more of the three levels related to the management of risk, including the governance level, mission and business process level, and the information system level.

    Related Controls: None.

References: [SP 800-40 ].

⚠️ **GitHub.com Fallback** ⚠️