CMMC Practice SI.L1-3.14.1

Identify, report, and correct information system flaws in a timely manner.

Monarch ISC Guidance

Level 1 compliance with this practice involves keeping all systems up to date with security patches. You need to turn on automatic updates for all systems, and be sure they are restarted regularly. Your policies for Level 2 should reflect this practice, and your security plan for Level 3 will note how systems are checked to ensure they are regularly updated. The organization will need to evaluate a patch management system which can remotely check systems for compliance with your policy and provide reports which can be used to measure the effectiveness of your patch management program for Maturity Level 4.
Security Catapult

Be prepared for CMMC

Our Q&A assessment tool is designed by security advisors for MSPs and DoD contractors of all sizes.

Try now for free

Understand your gaps
Security Catapult

Understand your gaps

See compliance gaps, compliance scores and proactive security tasks in a single interface.

Try now for free

Validate NIST SP 800-171
Security Catapult

Validate NIST SP 800-171

Based on your CMMC answers, we let you know where you stand on NIST.

Try now for free

Build a plan of action
Security Catapult

Build a plan of action

Track your burn down and stay on top of security needs.

Try now for free

Build your policy
Security Catapult

Build your policy

Say goodbye to maintaining a security policy. We do it for you.

Try now for free

Discussion From Source

DRAFT NIST SP 800-171 R2 Organizations identify systems that are affected by announced software and firmware flaws including potential vulnerabilities resulting from those flaws and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti- virus signatures. Organizations address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations can take advantage of available resources such as the Common Weakness Enumeration (CWE) database or Common Vulnerabilities and Exposures (CVE) database in remediating flaws discovered in organizational systems. Organization-defined time periods for updating security -relevant software and firmware may vary based on a variety of factors including the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types of remediation. NIST SP 800-40 provides guidance on patch management technologies.

References