CMMC Practice RA.L2-3.11.3

Remediate vulnerabilities in accordance with risk assessments.

Bold Coast Security Guidance

The standard vulnerability scanning tools do not produce risk-based results, but rather standard international vulnerability ratings from the Common Vulnerabilities and Exposures (CVE) list. When considering remediation, however, risk is the best guide, so you'll want to integrate the technical scanning results with risk assessment practices so you can risk-rate vulnerabilities found in your environment, and manage remediation of risks identified in risk assessments with risk-rated vulnerabilities reported by your scanning tools. For instance, you should remediate internet facing systems first, and test systems in a non-production enclave last. Compliance requires you have a practice of remediating risks and vulnerabilities. You'll need a policy that requires a remediation practice. It's best to incorporate remediation management into your risk management policies. You can transfer or avoid risk too, but those are uncommon.
Security Catapult

Be prepared for CMMC

Our Q&A assessment tool is designed by security advisors for MSPs and DoD contractors of all sizes.

Try now for free

Understand your gaps
Security Catapult

Understand your gaps

See compliance gaps, compliance scores and proactive security tasks in a single interface.

Try now for free

Validate NIST SP 800-171
Security Catapult

Validate NIST SP 800-171

Based on your CMMC answers, we let you know where you stand on NIST.

Try now for free

Build a plan of action
Security Catapult

Build a plan of action

Track your burn down and stay on top of security needs.

Try now for free

Build your policy
Security Catapult

Build your policy

Say goodbye to maintaining a security policy. We do it for you.

Try now for free

Discussion From Source

DRAFT NIST SP 800-171 R2 Vulnerabilities discovered, for example, via the scanning conducted in response to RA.L2-3.11.3, are remediated with consideration of the related assessment of risk. The consideration of risk influences the prioritization of remediation efforts and the level of effort to be expended in the remediation for specific vulnerabilities.

References