CMMC practice SI.L2-3.14.3, derived from NIST SP 800-171 Rev 2 security requirement 3.14.3, requires organizations to monitor security alerts and advisories from authoritative external sources such as US-CERT (CISA), software vendors, and information sharing organizations on a continuous basis. Organizations must pre-identify what response actions are appropriate for different categories of alerts and advisories, including patching, configuration changes, network isolation, or compensating controls. Once a relevant alert or advisory is received, the organization must take those identified actions within a defined timeframe commensurate with the severity of the threat. This practice closes the loop between threat intelligence receipt and operational response, ensuring that known vulnerabilities and threat indicators do not remain unaddressed on systems handling Controlled Unclassified Information (CUI). It operates in conjunction with flaw remediation (3.14.1) and malicious code protection (3.14.2) to form a comprehensive system integrity posture.
Where it stops · what it isn't
- —This practice does not cover the generation or creation of security alerts — it covers the monitoring and response to externally issued alerts and advisories
- —This practice does not encompass incident detection and response arising from internal anomaly detection — that is addressed by SI.L2-3.14.6 and IR domain practices
- —This practice does not require organizations to subscribe to every available threat feed — only authoritative and relevant sources appropriate to their systems and CUI scope
- —This practice does not dictate specific patch application timelines for general vulnerability management — those are addressed under SI.L2-3.14.1
- —This practice does not cover security awareness training on phishing or social engineering, which falls under the Awareness and Training domain
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.