CMMC Practice RA.L2-3.11.3

Vulnerability Remediation: Remediate vulnerabilities in accordance with risk assessments.

Monarch ISC Guidance

The standard vulnerability scanning tools do not produce risk-based results, but rather standard international vulnerability ratings from the Common Vulnerabilities and Exposures (CVE) list. When considering remediation, however, risk is the best guide, so you'll want to integrate the technical scanning results with risk assessment practices so you can risk-rate vulnerabilities found in your environment, and manage remediation of risks identified in risk assessments with risk-rated vulnerabilities reported by your scanning tools. For instance, you should remediate internet facing systems first, and test systems in a non-production enclave last. Compliance requires you have a practice of remediating risks and vulnerabilities. You'll need a policy that requires a remediation practice. It's best to incorporate remediation management into your risk management policies. You can transfer or avoid risk too, but those are uncommon.

Discussion From Source

NIST SP 800-171 R2 Vulnerabilities discovered, for example, via the scanning conducted in response to RA.L2-3.11.2, are remediated with consideration of the related assessment of risk. The consideration of risk influences the prioritization of remediation efforts and the level of effort to be expended in the remediation for specific vulnerabilities.

References