SI.L2-3.14.1, derived from NIST SP 800-171 Rev 2 Security Requirement 3.14.1, requires organizations to identify information system flaws, report those flaws to designated personnel or roles, and correct them — all within organizationally defined and documented time frames. A 'system flaw' encompasses software vulnerabilities, firmware deficiencies, misconfiguration errors, and any condition that degrades system integrity or exposes controlled unclassified information (CUI) to risk. The practice mandates that time frames for each phase — identification, reporting, and correction — are explicitly specified in policy or procedure, not merely implied. Organizations must also install security-relevant software updates, including patches and firmware updates, and test those updates for effectiveness and side effects before or concurrent with deployment. Compliance requires demonstrable evidence that flaws are being caught, escalated, and remediated within the committed windows.
Where it stops · what it isn't
- —This practice does not specify universal time frame thresholds; organizations define their own windows based on risk, though those windows must be documented and enforced.
- —SI.L2-3.14.1 does not cover malicious code detection and protection, which is addressed separately under SI.L2-3.14.2.
- —This practice does not govern security alert monitoring or advisory response, which falls under SI.L2-3.14.3.
- —This practice does not require penetration testing or red-team exercises to discover flaws — it governs the response process once flaws are identified through any means.
- —Configuration baseline management and change control are governed by Configuration Management (CM) domain practices, though they inform flaw detection under this practice.
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFdomain/system-and-information-integrity