SI-2—Flaw Remediation
>Control Description
Identify, report, and correct system flaws;
Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
Install security-relevant software and firmware updates within ⚙organization-defined time period of the release of the updates; and
Incorporate flaw remediation into the organizational configuration management process.
>DoD Impact Level Requirements
FedRAMP Parameter Values
SI-2 (c) [within thirty (30) days of release of updates]
>Discussion
The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures.
Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system, the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw), the organizational risk tolerance, the mission supported by the system, or the threat environment.
Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, such as when implementing simple malicious code signature updates.
In testing decisions, organizations consider whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures.
>Programmatic Queries
Related Services
CLI Commands
aws ssm describe-patch-baselinesaws ssm list-compliance-summaries --filters 'Key=ComplianceType,Values=Patch'aws ssm describe-instance-patch-statesaws ssm describe-patch-group-state --patch-group PATCH_GROUP>Related Controls
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies and procedures govern flaw remediation?
- •Who is responsible for monitoring system and information integrity?
- •How frequently are integrity monitoring processes reviewed and updated?
- •What is your process for identifying, reporting, and remediating flaws and vulnerabilities?
- •What is your patch management process and timeline?
Technical Implementation:
- •What technical controls detect and respond to flaw remediation issues?
- •How are integrity violations identified and reported?
- •What automated tools support system and information integrity monitoring?
- •What tools are used to identify software flaws and vulnerabilities?
- •What anti-malware solutions are deployed and how are they configured?
Evidence & Documentation:
- •Can you provide recent integrity monitoring reports or alerts?
- •What logs demonstrate that SI-2 is actively implemented?
- •Where is evidence of integrity monitoring maintained and for how long?
- •Can you provide recent vulnerability reports and POA&M items?
- •Can you show recent malware detection reports and response actions?
Ask AI
Configure your API key to use AI features.