SI-2(5)—Automatic Software And Firmware Updates
>Control Description
Install ⚙organization-defined security-relevant software and firmware updates automatically to ⚙organization-defined system components.
>Cross-Framework Mappings
>Supplemental Guidance
Due to system integrity and availability concerns, organizations consider the methodology used to carry out automatic updates. Organizations balance the need to ensure that the updates are installed as soon as possible with the need to maintain configuration management and control, and with any mission or operational impacts that automatic updates might impose (i.e., implementing a staggered deployment strategy).
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies and procedures govern automatic software and firmware updates?
- •Who is responsible for monitoring system and information integrity?
- •How frequently are integrity monitoring processes reviewed and updated?
- •What is your patch management process and timeline?
Technical Implementation:
- •What technical controls detect and respond to automatic software and firmware updates issues?
- •How are integrity violations identified and reported?
- •What automated tools support system and information integrity monitoring?
- •How do you ensure timely installation of security-relevant patches?
Evidence & Documentation:
- •Can you provide recent integrity monitoring reports or alerts?
- •What logs demonstrate that SI-2(5) is actively implemented?
- •Where is evidence of integrity monitoring maintained and for how long?
- •Can you show recent patch installation records?
Ask AI
Configure your API key to use AI features.