SI-2(3): Time To Remediate Flaws / Benchmarks For Corrective Actions

Parent Control:

SI-2: Flaw Remediation

CSF v1.1 References:

Baselines:

(Not part of any baseline)

Next Version:

Control Statement

The organization:

  1. Measures the time between flaw identification and flaw remediation; and
  2. Establishes [Assignment: organization-defined benchmarks] for taking corrective actions.

Supplemental Guidance

This control enhancement requires organizations to determine the current time it takes on the average to correct information system flaws after such flaws have been identified, and subsequently establish organizational benchmarks (i.e., time frames) for taking corrective actions. Benchmarks can be established by type of flaw and/or severity of the potential vulnerability if the flaw can be exploited.