SI-2(3): Time To Remediate Flaws / Benchmarks For Corrective Actions

Control Family:

System And Information Integrity

Parent Control:

SI-2: Flaw Remediation

Priority:

P1: Implement P1 security controls first.

CSF v1.1 References:

Baselines:

(Not part of any baseline)

Next Version:

NIST Special Publication 800-53 Revision 5:
SI-2(3): Time to Remediate Flaws and Benchmarks for Corrective Actions

Control Statement

The organization:

Measures the time between flaw identification and flaw remediation; and
Establishes [Assignment: organization-defined benchmarks] for taking corrective actions.

Supplemental Guidance

This control enhancement requires organizations to determine the current time it takes on the average to correct information system flaws after such flaws have been identified, and subsequently establish organizational benchmarks (i.e., time frames) for taking corrective actions. Benchmarks can be established by type of flaw and/or severity of the potential vulnerability if the flaw can be exploited.