>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SI-2 (03)Flaw Remediation | Time to Remediate Flaws and Benchmarks for Corrective Actions

Moderate
High

>Control Description

(a) Measure the time between flaw identification and flaw remediation; and (b) Establish the following benchmarks for taking corrective actions: organization-defined benchmarks.

>FedRAMP Baseline Requirements

No FedRAMP-specific parameter values or requirements for this baseline.

>Discussion

Organizations determine the time it takes on average to correct system flaws after such flaws have been identified and subsequently establish organizational benchmarks (i.e., time frames) for taking corrective actions. Benchmarks can be established by the type of flaw or the severity of the potential vulnerability if the flaw can be exploited.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies and procedures govern time to remediate flaws and benchmarks for corrective actions?
  • Who is responsible for monitoring system and information integrity?
  • How frequently are integrity monitoring processes reviewed and updated?
  • What is your process for identifying, reporting, and remediating flaws and vulnerabilities?

Technical Implementation:

  • What technical controls detect and respond to time to remediate flaws and benchmarks for corrective actions issues?
  • How are integrity violations identified and reported?
  • What automated tools support system and information integrity monitoring?
  • What tools are used to identify software flaws and vulnerabilities?

Evidence & Documentation:

  • Can you provide recent integrity monitoring reports or alerts?
  • What logs demonstrate that SI-2(3) is actively implemented?
  • Where is evidence of integrity monitoring maintained and for how long?
  • Can you provide recent vulnerability reports and POA&M items?

Ask AI

Configure your API key to use AI features.