Requirement text: RM.2.143: Remediate vulnerabilities in accordance with risk assessments.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Vulnerabilities discovered, for example, via the scanning conducted in response to RM.2.142,
are remediated with consideration of the related assessment of risk. The consideration of
risk influences the prioritization of remediation efforts and the level of effort to be expended
in the remediation for specific vulnerabilities.
CMMC CLARIFICATION
Review the prioritized list of vulnerabilities generated from the vulnerability scanner. Not
all vulnerabilities may affect an organization the same. Review the risks of not remediating
the discovered vulnerabilities. The organization should build upon the prioritized list and
develop a prioritized mitigation plan for closing the vulnerabilities identified and track their
completion.
Example
You are in charge of IT at your organization. Part of your job is to look for weaknesses in
your software that may provide ways for hackers to get into your network and do harm. You
perform vulnerability scans to try and find these weaknesses. The output of a scan is a list
of the potential weaknesses, also called vulnerabilities. You should review the
vulnerabilities and determine how they will affect your organization. You should create a
prioritized list of the vulnerabilities you should fix, fix them, and record a completion date
and time by each item. If you decide not to fix them, you should document the reasoning,
and you should continue to monitor these vulnerabilities.
References
• NIST SP 800-171 Rev 1 3.11.3
• CIS Controls v7.1 3.7
• NIST CSF v1.1 RS.MI-3
• CERT RMM v1.2 VAR:SG3.SP1
• NIST SP 800-53 Rev 4 RA-5