>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

3.14.1System and Information Integrity - Basic

Basic Requirement

>Control Description

Identify, report, and correct system flaws in a timely manner.

>Discussion

Organizations identify systems that are affected by announced software and firmware flaws including potential vulnerabilities resulting from those flaws and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti-virus signatures. Organizations address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling.

Organizations can take advantage of available resources such as the Common Weakness Enumeration (CWE) database or Common Vulnerabilities and Exposures (CVE) database in remediating flaws discovered in organizational systems. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types of remediation. [SP 800-40] provides guidance on patch management technologies.

>Cross-Framework Mappings

CMMC

SI.L1-3.14.1
Compare

SCF

VPM-01
Compare
VPM-02
Compare
VPM-05
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern identification and authentication for system users?
  • What procedures define identity verification requirements?
  • Who approves identity and authentication standards?
  • How do you handle identity proofing and enrollment?
  • What governance ensures all users are properly identified and authenticated?

Technical Implementation:

  • What authentication methods uniquely identify users?
  • How do you implement username/password or stronger authentication?
  • What identity management systems manage user identities?
  • How do you enforce authentication before system access?
  • What monitoring tracks authentication events and failures?

Evidence & Documentation:

  • Can you provide identity and authentication policies?
  • What evidence shows all users are uniquely identified?
  • Can you demonstrate authentication enforcement across systems?
  • What logs track user authentication activities?
  • What audit findings verify identification and authentication compliance?

Ask AI

Configure your API key to use AI features.