home || catalog: SP800-53rev3 / class: Operational / family: (SI) System and Information Integrity ||
search controls:
search nistpubs:

AC
AT
AU
CA
CM
CP
IA
IR
MA
MP
PE
PL
PM
PS
RA
SA
SC
SI

SI-01
SI-02 *
SI-03
SI-04
SI-05
SI-06
SI-07
SI-08
SI-09
SI-10
SI-11
SI-12
SI-13
MMMMM

  SI-02: Flaw Remediation  

base control objective:
The organization:
a. Identifies, reports, and corrects information system flaws;
b. Tests software updates related to flaw remediation for effectiveness and potential side effects on organizational information systems before installation; and
c. Incorporates flaw remediation into the organizational configuration management process.

supplemental objective information:
The organization identifies information systems containing software affected by recently announced software flaws (and potential vulnerabilities resulting from those flaws) and reports this information to designated organizational officials with information security responsibilities (e.g., senior information security officers, information system security managers, information systems security officers). The organization (including any contractor to the organization) promptly installs security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling, are also addressed expeditiously. Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling are also addressed expeditiously. Organizations are encouraged to use resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational information systems. By requiring that flaw remediation be incorporated into the organizational configuration management process, it is the intent of this control that required/anticipated remediation actions are tracked and verified. An example of expected flaw remediation that would be so verified is whether the procedures contained in US-CERT guidance and Information Assurance Vulnerability Alerts have been accomplished.

enhancements to the base objective:

(1) The organization centrally manages the flaw remediation process and installs software updates automatically.
Enhancement Supplemental Guidance: Due to information system integrity and availability concerns, organizations should give careful consideration to the methodology used to carry out automatic updates.

(2) The organization employs automated mechanisms [Assignment: organization-defined frequency] to determine the state of information system components with regard to flaw remediation.

(3) The organization measures the time between flaw identification and flaw remediation, comparing with [Assignment: organization-defined benchmarks].

(4) The organization employs automated patch management tools to facilitate flaw remediation to [Assignment: organization-defined information system components].

mapping to FIPS199 baseline:

  LOW: base     MOD: base (2)     HIGH: base (1) (2)  

related (regimented) controls:

CA-02   Security Assessments
CA-07   Continuous Monitoring
CM-03   Configuration Change Control
MA-02   Controlled Maintenance
IR-04   Incident Handling
RA-05   Vulnerability Scanning
SA-11   Developer Security Testing
SI-11   Error Handling

documents referenced in SP800-53rev3 for SI-02:

Document Date Status Title
NIST SP800-28 October, 2001 current   Guidelines on Active Content and Mobile Code
NIST SP800-40 November, 2005 current   Creating a Patch and Vulnerability Management Program
NIST SP800-51 September, 2002 current   Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme
NIST SP800-83 September, 2006 current   Guide to Malware Incident Prevention and Handling

Search SP800-53rev3 catalog: