CMMC Practice SI.1.210
Identify, report, and correct information system flaws in a timely manner.
Bold Coast Security Guidance
Level 1 compliance with this practice involves keeping all systems up to date with security patches. You need to turn on automatic updates for all systems, and be sure they are restarted regularly. Your policies for Level 2 should reflect this practice, and your security plan for Level 3 will note how systems are checked to ensure they are regularly updated.
The organization will need to evaluate a patch management system which can remotely check systems for compliance with your policy and provide reports which can be used to measure the effectiveness of your patch management program for Maturity Level 4.
DRAFT NIST SP 800-171 R2
Organizations identify systems that are affected by announced software and firmware flaws including potential vulnerabilities resulting from those flaws and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti- virus signatures. Organizations address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations can take advantage of available resources such as the Common Weakness Enumeration (CWE) database or Common Vulnerabilities and Exposures (CVE) database in remediating flaws discovered in organizational systems.
Organization-defined time periods for updating security -relevant software and firmware may vary based on a variety of factors including the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types of remediation. NIST SP 800-40 provides guidance on patch management technologies.