Assessment, Prioritization, and Remediation of Vulnerabilities, v1.1
Specifies requirements in accordance with NIST Secure Software Development Framework (SSDF), version 1.1, Practice RV.2: Assessment, Prioritization, and Remediation of Vulnerabilities. Requires an organization to help ensure that vulnerabilities are remediated in accordance with risk to reduce the window of opportunity for attackers.
Assessment Steps (2)
|
1
Vulnerability Analysis for Remediation and Response Planning (VulnerabilityAnalysisforRemediationandResponsePlanning)
Does the organization analyze each vulnerability to gather sufficient information about risk to plan its remediation or other risk response?
Artifact
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) and supporting notes as appropriate to support the assessor's response to this assessment step.
|
|
2
Planning and Implementation of Vulnerability Risk Responses (PlanningandImplementationofVulnerabilityRiskResponses)
Does the organization plan and implement risk responses for vulnerabilities?
Artifact
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) and supporting notes as appropriate to support the assessor's response to this assessment step.
|
Conformance Criteria (2)
|
Vulnerability Analysis for Remediation and Response Planning
The organization must analyze each vulnerability to gather sufficient information about risk to plan its remediation or other risk response.
Citation
SSDF
Task RV.2.1
|
|
Planning and Implementation of Vulnerability Risk Responses
The organization must plan and implement risk responses for vulnerabilities.
Citation
SSDF
Task RV.2.2
|