CMMC Practice RM.2.143

Remediate vulnerabilities in accordance with risk assessments.


CMMC Version 1.02, pg. 207

Bold Coast Security Guidance

The standard vulnerability scanning tools do not produce risk-based results, but rather standard international vulnerability ratings from the Common Vulnerabilities and Exposures (CVE) list. When considering remediation, however, risk is the best guide, so you'll want to integrate the technical scanning results with risk assessment practices so you can risk-rate vulnerabilities found in your environment, and manage remediation of risks identified in risk assessments with risk-rated vulnerabilities reported by your scanning tools. Level 1 compliance requires you have a practice of remediating risks and vulnerabilities. For Level 2 compliance, you'll need a policy that requires a remediation practice. It's best to incorporate remediation management into your risk management policies. For Maturity Level 3, your System Security Plan is where you will state specifics about what tools you use to identify vulnerabilities, who is responsible, risk ratings, and how you track remediation or acceptance of risk. You can transfer or avoid risk too, but those are uncommon.

Discussion From Source

DRAFT NIST SP 800-171 R2 Vulnerabilities discovered, for example, via the scanning conducted in response to RM.2.142, are remediated with consideration of the related assessment of risk. The consideration of risk influences the prioritization of remediation efforts and the level of effort to be expended in the remediation for specific vulnerabilities.