|SI-2 (1) Central Management ||HIGH |
Central management is the organization-wide management and implementation of flaw remediation processes. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw remediation security controls.
The organization centrally manages the flaw remediation process.
|SI-2 (2) Automated Flaw Remediation Status ||MODERATE |
The organization employs automated mechanisms Assignment: organization-defined frequency to determine the state of information system components with regard to flaw remediation.
|SI-2 (3) Time To Remediate Flaws / Benchmarks For Corrective Actions || |
This control enhancement requires organizations to determine the current time it takes on the average to correct information system flaws after such flaws have been identified, and subsequently establish organizational benchmarks (i.e., time frames) for taking corrective actions. Benchmarks can be established by type of flaw and/or severity of the potential vulnerability if the flaw can be exploited.
The organization: SI-2 (3)(a)
Measures the time between flaw identification and flaw remediation; and SI-2 (3)(b)
Establishes Assignment: organization-defined benchmarks for taking corrective actions.
|SI-2 (4) Automated Patch Management Tools || |
Withdrawn: Incorporated into SI-2.
|SI-2 (5) Automatic Software / Firmware Updates || |
Due to information system integrity and availability concerns, organizations give careful consideration to the methodology used to carry out automatic updates. Organizations must balance the need to ensure that the updates are installed as soon as possible with the need to maintain configuration management and with any mission or operational impacts that automatic updates might impose.
The organization installs Assignment: organization-defined security-relevant software and firmware updates automatically to Assignment: organization-defined information system components.
|SI-2 (6) Removal Of Previous Versions Of Software / Firmware || |
Previous versions of software and/or firmware components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software and/or firmware automatically from the information system.
The organization removes Assignment: organization-defined software and firmware components after updated versions have been installed.