Description:

Organizations identify systems that are affected by announced software and firmware flaws including potential vulnerabilities resulting from those flaws and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti-virus signatures. Organizations address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations can take advantage of available resources such as the Common Weakness Enumeration (CWE) database or Common Vulnerabilities and Exposures (CVE) database in remediating flaws discovered in organizational systems.  Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types of remediation.  [SP 800-40] provides guidance on patch management technologies.


Priority: High


Category: Vulnerability Management 


Services Associated with AWS:

  1. AWS Security Hub
  2. Amazon Inspector
  3. AWS Config
  4. AWS Systems Manager

Objective Evidence: 

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how IT Asset Management (ITAM) is implemented
  • Administrative: supporting documentation to demonstrate change management practices reviewed/approved the maintenance request(s)
  • Administrative: supporting documentation of a Vulnerability & Patch Management Program (VPMP) that addresses corrective maintenance operations
  • Administrative: supporting documentation of role-based security training being performed
  • Administrative: supporting documentation of professional competence by individual(s) performing maintenance roles
  • Technical: screen shot of Configuration Management Database (CMDB) ticket 

Possible Technology Considerations : 

  • Patch Management Solution
  • Change Control Solution
  • Configuration Management Database (CMDB) 

What needs to be answered?

Are system flaws identified, reported, and corrected within company-defined time periods? Does the company perform all security-relevant software updates (patching, service packs, hot fixes, and anti-virus signature additions) in response to identified system flaws and vulnerabilities within the timeframe specified in policy or within the system security plan? When available, do managers and administrators of the system rely on centralized management of the flaw remediation process, to include the use of automated update software, patch management tools, and automated status scanning? Is the time between flaw identification and flaw remediation measured and compared with benchmarks?

  • System Flaw Identification Check
    Description: This check verifies that systems affected by software and firmware flaws, including potential vulnerabilities resulting from those flaws, are identified promptly. The check also ensures that these are reported to the appropriate personnel with information security responsibilities.
  • Flaw Remediation Check
    Description: This check ensures that flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling are addressed in a timely manner. It also ensures that any necessary updates, such as patches, service packs, hot fixes, and anti-virus signatures, are installed promptly.
  • Regular Update Check
    Description: This check verifies that security-relevant software and firmware are updated within the organization-defined time periods. It ensures that the criticality of the update is taken into consideration when determining the time frame for installation.


More Details:

System flaws identified by employees and monitoring systems resolved by IT support staff as soon as possible.