SI-2: Flaw Remediation

NIST Baseline: Low 

DIR Required By:  01/20/2023 

Review Date:  08/22/2024 

• Information resource custodians, in coordination with information resource owners, are responsible for: 
  • Identifying, reporting, and correcting information resource security flaws as described in Control IR-6, Incident Reporting, and Control RA-5, Vulnerability Monitoring and Scanning;  
  • Testing software and firmware updates related to security flaw remediation for effectiveness and potential side effects before installation as described in Control CM-3, Configuration Change Control, and Control CM-3(2), Testing, Validation, and Documentation of Changes; 
  • Installing security-relevant software and firmware updates within timelines as specified in Control MA-1, Maintenance – Policy and Procedures, and Control MA-2, Controlled Maintenance; and  
  • Incorporating security flaw remediation into the configuration management process as specified in Control CM-3, Configuration Change Control. 

---

References/Additional Resources

OMB A-130 

FIPS 140-3 

FIPS 186-5 

SP 800-39 

SP 800-40 

SP 800-128 

IR 7788