Skip to main content
VPM

Vulnerability & Patch Management

33 controls

Leverage industry-recognized Attack Surface Management (ASM) practices to strengthen the security and resilience systems, applications and services against evolving and sophisticated attack vectors.

SCF # Control Name Weight NIST CSF Frameworks
VPM-01 Vulnerability & Patch Management Program (VPMP) 9 — Critical Govern 131
VPM-01.1 Attack Surface Scope 5 — Medium Protect 45
VPM-02 Vulnerability Remediation Process 10 — Critical Protect 88
VPM-03 Vulnerability Ranking 8 — High Identify 40
VPM-03.1 Vulnerability Exploitation Analysis 5 — Medium Protect 6
VPM-04 Continuous Vulnerability Remediation Activities 8 — High Protect 56
VPM-04.1 Stable Versions 8 — High Identify 13
VPM-04.2 Flaw Remediation with Personal Data (PD) 8 — High Identify 6
VPM-04.3 Deferred Patching Decisions 2 — Low Protect 2
VPM-05 Software & Firmware Patching 10 — Critical Protect 115
VPM-05.1 Centralized Management of Flaw Remediation Processes 9 — Critical Protect 44
VPM-05.2 Automated Remediation Status 9 — Critical Protect 30
VPM-05.3 Time To Remediate / Benchmarks For Corrective Action 6 — Medium Protect 22
VPM-05.4 Automated Software & Firmware Updates 5 — Medium Protect 22
VPM-05.5 Removal of Previous Versions 5 — Medium Protect 5
VPM-05.6 Pre-Deployment Patch Testing 7 — High Protect 2
VPM-05.7 Out-of-Cycle Patching 7 — High Protect 1
VPM-05.8 Software Patch Integrity 9 — Critical Protect 1
VPM-06 Vulnerability Scanning 9 — Critical Detect 107
VPM-06.1 Update Tool Capability 8 — High Protect 50
VPM-06.2 Breadth / Depth of Coverage 8 — High Protect 29
VPM-06.3 Privileged Access 9 — Critical Protect 27
VPM-06.4 Trend Analysis 9 — Critical Identify 16
VPM-06.5 Review Historical event logs 9 — Critical Detect 14
VPM-06.6 External Vulnerability Assessment Scans 9 — Critical Detect 12
VPM-06.7 Internal Vulnerability Assessment Scans 9 — Critical Detect 9
VPM-06.8 Acceptable Discoverable Information 5 — Medium Protect 16
VPM-06.9 Correlate Scanning Information 5 — Medium Detect 6
VPM-07 Penetration Testing 9 — Critical Detect 64
VPM-07.1 Independent Penetration Agent or Team 6 — Medium Detect 26
VPM-08 Technical Surveillance Countermeasures Security 1 — Low Detect 5
VPM-09 Reviewing Vulnerability Scanner Usage 3 — Low Detect 1
VPM-10 Red Team Exercises 3 — Low Detect 19

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage SCF Controls in SCF Connect

Streamline your compliance program with automated control tracking, evidence management, and framework mapping.