3.14.1

Requirement

a. Identify, report, and correct system flaws.
b. Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates.

Discussion

Organizations identify systems that are affected by announced software and firmware flaws, including potential vulnerabilities that result from those flaws, and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti-virus signatures. Organizations address the flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations can take advantage of available resources (e.g., CWE or CVE databases) when remediating system flaws. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors, including the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types.

NIST 800-171A r3 Assessment Guidance

Examine

[SELECT FROM: system and information integrity policy and procedures; procedures for flaw remediation; procedures for configuration management; list of recent security flaw remediation actions performed on the system; list of flaws and vulnerabilities that may potentially affect the system; test results from the installation of software and firmware updates to correct system flaws; installation and change control records for security-relevant software and firmware updates; system security plan; other relevant documents or records]
Interview

[SELECT FROM: processes for identifying, reporting, and correcting system flaws; processes for installing software and firmware updates; mechanisms for supporting or implementing the reporting and correction of system flaws; mechanisms for supporting or implementing the testing software and firmware updates]
Test

[SELECT FROM: personnel responsible for installing, configuring, or maintaining the system; personnel responsible for flaw remediation; personnel with configuration management responsibilities; personnel with information security responsibilities; system administrators]

ID	Assessment Objectives
A.03.14.01.a[01]	system flaws are identified.
A.03.14.01.a[02]	system flaws are reported.
A.03.14.01.a[03]	system flaws are corrected.
A.03.14.01.b[01]	security-relevant software updates are installed within of the release of the updates.
A.03.14.01.b[02]	security-relevant firmware updates are installed within of the release of the updates.
A.03.14.01.ODP[01]	the time period within which to install security-relevant software updates after the release of the updates is defined.
A.03.14.01.ODP[02]	the time period within which to install security-relevant firmware updates after the release of the updates is defined.

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!