CMMC SI.1.210 – Manage System Vulnerabilities
Requirement text:
SI.1.210: Identify, report, and correct information system flaws in a timely manner.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Organizations identify systems that are affected by announced software and firmware flaws including potential vulnerabilities resulting from those flaws and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti-virus signatures. Organizations address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations can take advantage of available resources such as the Common Weakness Enumeration (CWE) database or Common Vulnerabilities and Exposures (CVE) database in remediating flaws discovered in organizational systems.
Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types of remediation. NIST SP 800-40 provides guidance on patch management technologies.
CMMC CLARIFICATION
All software and firmware have potential flaws. Many vendors work to reduce those flaws by releasing vulnerability information and updates to their software and firmware. Organizations should have a process to review relevant vendor newsletters with updates about common problems or weaknesses. After reviewing the information the organization should execute a process called patch management that allows for systems to be updated without adversely affecting the organization. Organizations should also purchase support from their vendors to ensure timely access to updates.
Example
You have many responsibilities at your company, including IT. You know that malware, ransomware, and viruses can be a big problem for companies. You make sure to enable all security updates for your software, including the operating system and applications, and purchase the maintenance packages for new hardware and operating systems.
Get Audit Ready
How to pass? Enable automatic download and install of system updates / patches on all of your devices. If your scanner, printer, router, or business software hasn’t been updated in a while, you should search for the latest update and install it. You remove apps that are no longer supported by the vendor.
How to fail? You are still using Windows XP or Windows 7 on your computers. You click cancel every time your system asks for an update. You’ve never updated your printer or router.
Reference
• FAR Clause 52.204-21 b.1.xii
• NIST SP 800-171 Rev 1 3.14.1
• NIST CSF v1.1 RS.CO-2, RS.MI-3
• CERT RMM v1.2 VAR:SG2.SP2
• NIST SP 800-53 Rev 4 SI-2
• UK NCSC Cyber Essentials
• AU ACSC Essential Eight
Related Articles
System and Information Integrity: SP 800-171 Security Family 3.14
Integrity is defined as guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. It is the assertion that data can only be accessed or modified by the authorized employees. ...CMMC CM.2.065 - Manage System Changes
Requirement text: CM.2.065: Track, review, approve, or disapprove, and log changes to organizational systems. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Tracking, reviewing, approving/disapproving, and logging changes is called configuration ...CMMC Level 1 Overview - Basic Cyber Hygiene
CMMC Level 1 l focuses on Federal Contract Information (FCI), which is defined as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the ...CMMC CA.2.159 - Implement Plans of Action to Address Vulnerabilities
Requirement text: CA.2.159: Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 The plan of action is a key ...CMMC SI.1.213 – Enable Malicious Code Scanning
Requirement text: SI.1.213: Perform periodic scans of information systems and real-time scans of files from external sources as files are downloaded, opened, or executed. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Periodic scans of ...