Overview:
Identify, report, and correct information and information system flaws in a timely manner.
Action Items:
3.14.1[a]
Determine if: the time within which to identify system flaws is specified.
3.14.1[b]
Determine if: system flaws are identified within the specified time frame.
3.14.1[c]
Determine if: the time within which to report system flaws is specified.
3.14.1[d]
Determine if: system flaws are reported within the specified time frame.
3.14.1[e]
Determine if: the time within which to correct system flaws is specified.
3.14.1[f]
Determine if: system flaws are corrected within the specified time frame.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
1
Examine: System and information integrity policy; procedures addressing flaw remediation; procedures addressing configuration management; system security plan; list of flaws and vulnerabilities potentially affecting the system; list of recent security flaw remediation actions performed on the system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct system flaws); test results from the installation of software and firmware updates to correct system flaws; installation/change control records for security-relevant software and firmware updates; other relevant documents or records].
2
Interview: System or network administrators; personnel with information security responsibilities; personnel installing, configuring, and maintaining the system; personnel with responsibility for flaw remediation; personnel with configuration management responsibility].
3
Test: Organizational processes for identifying, reporting, and correcting system flaws; organizational process for installing software and firmware updates; mechanisms supporting or implementing reporting, and correcting system flaws; mechanisms supporting or implementing testing software and firmware updates].
Related Documents (document name and content will vary by organization):
1) System and information integrity policy
2) procedures addressing flaw remediation
3) procedures addressing configuration management
4) system security plan
5) list of flaws and vulnerabilities potentially affecting the system
6) list of recent security flaw remediation actions performed on the system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct system flaws)
7) test results from the installation of software and firmware updates to correct system flaws
8) installation/change control records for security-relevant software and firmware updates
9) other relevant documents or records
Additional Guidance:
Organizations identify systems that are affected by announced software and firmware flaws including potential vulnerabilities resulting from those flaws, and report this information to designated personnel with information security responsibilities. Security-relevant updates include, for example, patches, service packs, hot fixes, and anti-virus signatures. Organizations also address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations can take advantage of available resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational systems.
By incorporating flaw remediation into configuration management processes, any required or anticipated remediation actions can be tracked and verified. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including, for example, the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types or remediation. Organizations determine the degree and type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configurationmanaged. In some situations, organizations may determine that the testing of software and firmware updates is not necessary or practical, for example, when implementing simple anti-virus signature updates. Organizations may also consider in testing decisions, whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures. NIST Special Publication 800-40 provides guidance on patch management technologies
Article ID: 209
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/nist-800-171-flaw-remediation-3-14-1-209.html