SI-02 Flaw Remediation
a. Identify, report, and correct system flaws;
b. Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
c. Install security-relevant software and firmware updates within si-02_odp of the release of the updates; and
d. Incorporate flaw remediation into the organizational configuration management process.
The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified.
Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system, the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw), the organizational risk tolerance, the mission supported by the system, or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, such as when implementing simple malicious code signature updates. In testing decisions, organizations consider whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures.
- OMB A-130 Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016.
- FIPS 140-3 National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3.
- FIPS 186-4 National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4.
- SP 800-39 Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39.
- SP 800-40 Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management Technologies. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 3.
- SP 800-128 Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019.
- IR 7788 Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7788.
Control Enhancements 6
- SI-02(01) Central Management
- SI-02(02) Automated Flaw Remediation Status L M H P
- SI-02(03) Time to Remediate Flaws and Benchmarks for Corrective Actions L M H P
- SI-02(04) Automated Patch Management Tools L M H P
- SI-02(05) Automatic Software and Firmware Updates L M H P
- SI-02(06) Removal of Previous Versions of Software and Firmware L M H P
Related controls 15
- CA-05 Plan of Action and Milestones L M H P
- CM-03 Configuration Change Control L M H P
- CM-04 Impact Analyses L M H P
- CM-05 Access Restrictions for Change L M H P
- CM-06 Configuration Settings L M H P
- CM-08 System Component Inventory L M H P
- MA-02 Controlled Maintenance L M H P
- RA-05 Vulnerability Monitoring and Scanning L M H P
- SA-08 Security and Privacy Engineering Principles L M H P
- SA-10 Developer Configuration Management L M H P
- SA-11 Developer Testing and Evaluation L M H P
- SI-03 Malicious Code Protection L M H P
- SI-05 Security Alerts, Advisories, and Directives L M H P
- SI-07 Software, Firmware, and Information Integrity L M H P
- SI-11 Error Handling L M H P