CMMC Level 2 practice RA.L2-3.11.3, derived from NIST SP 800-171 Rev 2 security requirement 3.11.3, requires organizations to remediate vulnerabilities in organizational systems and applications in accordance with risk assessments. This means that after vulnerabilities are identified—through scanning, penetration testing, threat intelligence, or vendor advisories—they must be triaged and addressed based on the risk they represent to organizational operations, assets, and the confidentiality of CUI. Remediation actions include applying security patches, reconfiguring systems to eliminate attack vectors, removing vulnerable software, or implementing compensating controls when immediate patching is not feasible. The practice mandates that risk assessment results directly drive remediation prioritization and scheduling, not simply the availability of a patch or vendor guidance alone. This requirement is explicitly linked to 3.11.2, which requires conducting the vulnerability scans that feed remediation decisions.
Where it stops · what it isn't
- —This practice does not define the specific scanning tools or scanning frequencies required; those are addressed by RA.L2-3.11.2
- —This practice does not govern incident response procedures triggered after a vulnerability is actively exploited; that falls under IR domain practices
- —This practice does not address the identification or management of software supply chain vulnerabilities beyond what is surfaced through standard vulnerability scanning and risk assessment processes
- —This practice does not mandate a specific remediation timeframe (e.g., 30/60/90 days) but requires that timelines be informed by risk assessment results
- —This practice does not cover configuration management baseline updates as a standalone activity; those are governed by CM domain practices, though they intersect with remediation implementation
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.