Under active development — Content is continuously updated and improved · Last updated Feb 18, 2026, 2:55 AM UTC

3.11.3—Risk Assessment - Derived

Derived Requirement

>Control Description

Remediate vulnerabilities in accordance with risk assessments.

>Discussion

Vulnerabilities discovered, for example, via the scanning conducted in response to 3.11.2, are remediated with consideration of the related assessment of risk. The consideration of risk influences the prioritization of remediation efforts and the level of effort to be expended in the remediation for specific vulnerabilities.

>Cross-Framework Mappings

CMMC

SCF

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

•What policies govern remediation of vulnerabilities?
•What timelines exist for remediating different risk levels?
•Who approves remediation plans and timelines?
•What procedures address vulnerabilities that cannot be remediated?
•What governance tracks vulnerability remediation effectiveness?

Technical Implementation:

•What patch management systems support vulnerability remediation?
•How do you track vulnerabilities from identification to closure?
•What testing validates vulnerability remediation?
•How do you implement compensating controls for unpatched systems?
•What automated tools support vulnerability remediation workflows?

Evidence & Documentation:

•Can you show vulnerability remediation timelines and completion?
•What documentation tracks remediation efforts and exceptions?
•Can you demonstrate prioritization by vulnerability severity?
•What metrics show mean time to remediate?
•What audit evidence verifies timely vulnerability remediation?

Ask AI

Configure your API key to use AI features.