Skip to main content

VPM-01: Vulnerability & Patch Management Program (VPMP)

VPM 9 — Critical Govern

Mechanisms exist to facilitate the implementation and monitoring of vulnerability management controls.

Control Question: Does the organization facilitate the implementation and monitoring of vulnerability management controls?

General (57)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC3.2-POF7 CC3.2-POF9 CC3.4-POF6 CC8.1-POF14 CC8.1-POF16 CC9.2-POF13
CIS CSC 8.1 7 7.1 18
CIS CSC 8.1 IG1 7.1
CIS CSC 8.1 IG2 7.1
CIS CSC 8.1 IG3 7.1
COBIT 2019 DSS05.07 MEA01.01
CSA CCM 4 AIS-07 TVM-01 TVM-02 UEM-07
CSA IoT SCF 2 CLS-06 SAP-05 VLN-01 VLN-02 VLN-04
GovRAMP Core SI-02 SI-03
GovRAMP Low SI-02 SI-03
GovRAMP Low+ SI-02 SI-03
GovRAMP Moderate SI-02 SI-03
GovRAMP High SI-02 SI-03
ISO/SAE 21434 2021 RQ-08-05 RQ-08-06 RQ-08-07.a RQ-08-07.b
ISO 27002 2022 8.8
ISO 27017 2015 12.6.1
MITRE ATT&CK 10 T1003, T1003.001, T1027, T1027.002, T1047, T1055, T1055.001, T1055.002, T1055.003, T1055.004, T1055.005, T1055.008, T1055.009, T1055.011, T1055.012, T1055.013, T1055.014, T1059, T1059.001, T1059.005, T1059.006, T1068, T1072, T1106, T1137, T1137.003, T1137.004, T1137.005, T1189, T1190, T1195, T1195.001, T1195.002, T1195.003, T1204, T1204.001, T1204.003, T1210, T1211, T1212, T1213.003, T1221, T1495, T1525, T1542, T1542.001, T1542.003, T1542.004, T1542.005, T1546.006, T1546.010, T1546.011, T1547.006, T1548.002, T1550.002, T1552, T1552.006, T1553, T1553.006, T1555.005, T1559, T1559.002, T1566, T1566.001, T1566.003, T1574, T1574.002, T1601, T1601.001, T1601.002, T1606, T1606.001, T1611
MPA Content Security Program 5.1 TS-4.0
NAIC Insurance Data Security Model Law (MDL-668) 4.D(4)
NIST Privacy Framework 1.0 PR.PO-P10
NIST 800-53 R4 SI-2 SI-3(2)
NIST 800-53 R4 (low) SI-2
NIST 800-53 R4 (moderate) SI-2 SI-3(2)
NIST 800-53 R4 (high) SI-2 SI-3(2)
NIST 800-53 R5 (source) SI-2 SI-3
NIST 800-53B R5 (low) (source) SI-2 SI-3
NIST 800-53B R5 (moderate) (source) SI-2 SI-3
NIST 800-53B R5 (high) (source) SI-2 SI-3
NIST 800-82 R3 LOW OT Overlay SI-2 SI-3
NIST 800-82 R3 MODERATE OT Overlay SI-2 SI-3
NIST 800-82 R3 HIGH OT Overlay SI-2 SI-3
NIST 800-161 R1 SI-2 SI-3
NIST 800-161 R1 C-SCRM Baseline SI-2 SI-3
NIST 800-161 R1 Flow Down SI-2 SI-3
NIST 800-161 R1 Level 2 SI-2 SI-3
NIST 800-161 R1 Level 3 SI-2 SI-3
NIST 800-171 R2 (source) 3.14.1
NIST 800-171A (source) 3.14.1[a] 3.14.1[b] 3.14.1[c] 3.14.1[d] 3.14.1[e] 3.14.1[f]
NIST 800-171 R3 (source) 03.11.02.a 03.14.01.a
NIST 800-171A R3 (source) A.03.11.02.ODP[03]
NIST CSF 2.0 (source) ID.RA-01 ID.RA-08 PR.PS-02
OWASP Top 10 2021 A05:2021 A06:2021
PCI DSS 4.0.1 (source) 6.3 6.3.1 6.3.3 11.3
PCI DSS 4.0.1 SAQ A (source) 6.3.1 6.3.3
PCI DSS 4.0.1 SAQ A-EP (source) 6.3.1 6.3.3
PCI DSS 4.0.1 SAQ B-IP (source) 6.3.1 6.3.3
PCI DSS 4.0.1 SAQ C (source) 6.3.1 6.3.3
PCI DSS 4.0.1 SAQ C-VT (source) 6.3.1 6.3.3
PCI DSS 4.0.1 SAQ D Merchant (source) 6.3.1 6.3.3
PCI DSS 4.0.1 SAQ D Service Provider (source) 6.3.1 6.3.3
Shared Assessments SIG 2025 T.2
SPARTA CM0007 CM0016
SWIFT CSF 2023 2.2 2.7
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) VPM-01
SCF CORE ESP Level 1 Foundational VPM-01
SCF CORE ESP Level 2 Critical Infrastructure VPM-01
SCF CORE ESP Level 3 Advanced Threats VPM-01
US (43)
Framework Mapping Values
US C2M2 2.1 THREAT-1.A.MIL1 THREAT-1.B.MIL1 THREAT-1.I.MIL2 RISK-2.I.MIL3
US CERT RMM 1.2 TM:SG4.SP2 VAR:SG1.SP1 VAR:SG2.SP2 VAR:SG2.SP3 VAR:SG3.SP1 VAR:SG4.SP1
US CISA CPG 2022 1.F
US CJIS Security Policy 5.9.3 (source) SI-2 SI-3
US CMMC 2.0 Level 1 (source) SI.L1-B.1.XII
US CMMC 2.0 Level 1 AOs (source) SI.L1-B.1.XII[a] SI.L1-B.1.XII[b] SI.L1-B.1.XII[c] SI.L1-B.1.XII[d] SI.L1-B.1.XII[e] SI.L1-B.1.XII[f]
US CMMC 2.0 Level 2 (source) SI.L2-3.14.1
US CMMC 2.0 Level 3 (source) SI.L2-3.14.1
US CMS MARS-E 2.0 SI-2 SI-3(2)
US DoD Zero Trust Execution Roadmap 2.5 3.3.2
US DHS CISA SSDAF 4.b
US DHS CISA TIC 3.0 3.UNI.VMANG
US DHS ZTCF CLO-02 EPM-02
US EO 14028 4e(iv)
US FAR 52.204-21 52.204-21(b)(1)(xii)
US FCA CRM 609.930(c)(2)
US FedRAMP R4 SI-2 SI-3(2)
US FedRAMP R4 (low) SI-2
US FedRAMP R4 (moderate) SI-2 SI-3(2)
US FedRAMP R4 (high) SI-2 SI-3(2)
US FedRAMP R4 (LI-SaaS) SI-2
US FedRAMP R5 (source) SI-2 SI-3(2)
US FedRAMP R5 (low) (source) SI-2
US FedRAMP R5 (moderate) (source) SI-2 SI-3(2)
US FedRAMP R5 (high) (source) SI-2 SI-3(2)
US FedRAMP R5 (LI-SaaS) (source) SI-2
US FFIEC D2.TI.Ti.B.2 D3.DC.Th.B.1 D1.RM.RA.E.2 D3.DC.Th.E.5 D3.DC.Th.A.1 D3.CC.Re.Ev.2
US GLBA CFR 314 2023 (source) 314.4(d)(2)
US HIPAA HICP Small Practice 2.S.A 7.S.A
US HIPAA HICP Medium Practice 2.M.A 7.M.D
US HIPAA HICP Large Practice 2.M.A 7.M.D 7.L.A 7.L.B 9.L.A
US IRS 1075 SI-2 SI-3
US NERC CIP 2024 (source) CIP-003-8 1.1.7 CIP-007-6 1.3 CIP-007-6 2.1
US NISPOM 2020 8-311 8-610
US NNPI (unclass) 9.1 17.1
US SSA EIESR 8.0 5.6
US TSA / DHS 1580/82-2022-01 III.E III.E.1 III.E III.E.2.a III.E.2.b
US - CA CCPA 2025 7123(c)(5)(D) 7123(c)(6)
US - NY DFS 23 NYCRR500 2023 Amd 2 500.3(o)
US - TX DIR Control Standards 2.0 SI-2 SI-3
US - TX TX-RAMP Level 1 SI-2
US - TX TX-RAMP Level 2 SI-2 SI-3(2)
US - VT Act 171 of 2018 2447(c)(7)
EMEA (19)
Framework Mapping Values
EMEA EU EBA GL/2019/04 3.3.3(21) 3.4.4(36)(a)
EMEA EU DORA 25.1 25.2 25.3 9.4(f)
EMEA EU NIS2 21.2(e)
EMEA EU NIS2 Annex 6.10.1 6.10.2(a) 6.10.2(d) 6.6.1
EMEA Austria Sec 14 Sec 15
EMEA Belgium 16
EMEA Germany Banking Supervisory Requirements for IT (BAIT) 5.6
EMEA Germany C5 2020 OPS-18 PSS-02
EMEA Israel CDMO 1.0 22.1 22.2
EMEA Saudi Arabia CSCC-1 2019 2-3-1-3 2-9 2-9-2
EMEA Saudi Arabia IoT CGIoT-1 2024 2-9-1
EMEA Saudi Arabia ECC-1 2018 2-3-4 2-10-1 2-10-2 2-10-3 2-10-4 2-11-1 2-11-2 2-11-3 2-11-4 5-1-3-8
EMEA Saudi Arabia OTCC-1 2022 2-9 2-9-1 2-9-2
EMEA Saudi Arabia SACS-002 TPC-11
EMEA Saudi Arabia SAMA CSF 1.0 3.3.17
EMEA South Africa 19
EMEA UK CAF 4.0 B4.d
EMEA UK Cyber Essentials 5
EMEA UK DEFSTAN 05-138 2402 2405
APAC (9)
Framework Mapping Values
APAC Australia ISM June 2024 ISM-1143 ISM-1163 ISM-1460 ISM-1493
APAC Australia Prudential Standard CPS234 17
APAC India SEBI CSCRF PR.IP.S12
APAC Japan ISMAP 12.6.1 12.6.1.18.PB
APAC New Zealand HISF 2022 HHSP19 HHSP26 HML19 HML26 HSUP17
APAC New Zealand HISF Suppliers 2023 HSUP17
APAC New Zealand NZISM 3.6 6.2.4.C.01
APAC Singapore Cyber Hygiene Practice 4.2(a) 4.2(b)
APAC Singapore MAS TRM 2021 4.2.1 7.4.1 7.4.2
Americas (3)
Framework Mapping Values
Americas Bermuda BMACCC 6.16
Americas Canada OSFI B-13 2.6 3.1
Americas Canada ITSP-10-171 03.11.02.A 03.14.01.A

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to facilitate the implementation and monitoring of vulnerability management controls.

Level 1 — Performed Informally

Vulnerability & Patch Management (VPM) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Attack Surface Management (ASM) is decentralized.
  • IT personnel apply software patches through an informal process.
  • Occasional vulnerability scanning is conducted on High Value Assets (HVAs).
Level 2 — Planned & Tracked

Vulnerability & Patch Management (VPM) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls to address applicable statutory, regulatory and contractual requirements for ASM. o Apply software patches and other vulnerability remediation efforts.

  • Attack Surface Management (ASM) is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel:
  • Administrative processes and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.
Level 3 — Well Defined

Vulnerability & Patch Management (VPM) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Defines the scope of ASM activities. o Provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data with regards to ASM. o Provides oversight of ASM activities to centrally manage the flaw remediation process as part of the organization's overall Patch& Vulnerability & Patch Management Program (VPMP). o Manages the identification, tracking and remediation of vulnerabilities. o Utilizes a Security Incident Event monitor (SIEM), or similar automated tool, to monitor for unauthorized activities, accounts, connections, devices and software according to organization-specific Indicators of Compromise (IoC), including feeds from applications, hosts, network devices and vulnerability scanners.

  • The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization's business strategy to determine prioritized and authoritative guidance for Attack Surface Management (ASM) practices.
  • The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the enterprise for ASM.
  • A steering committee is formally established to provide executive oversight of the cybersecurity and data privacy program, including ASM.
  • An IT Asset Management (ITAM) function, or similar function, categorizes devices according to the data the asset stores, transmits and/ or processes and applies the appropriate technology controls to protect the asset and data.
  • A Governance, Risk & Compliance (GRC) function, or similar function:
  • A Security Operations Center (SOC), or similar function:
  • Asset custodians install the latest stable version of security-related updates on all systems within the organization-defined time requirements.
Level 4 — Quantitatively Controlled

Vulnerability & Patch Management (VPM) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
  • Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
  • Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
  • Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
  • Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
  • Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to facilitate the implementation and monitoring of vulnerability management controls.

Assessment Objectives

  1. VPM-01_A01 an organization-wide vulnerability and patch management program is developed and implemented to proactively identify and remediation vulnerabilities.
  2. VPM-01_A02 the time within which to identify system flaws is specified.
  3. VPM-01_A03 system flaws are identified within the specified time frame.
  4. VPM-01_A04 the time within which to report system flaws is specified.
  5. VPM-01_A05 system flaws are reported within the specified time frame.
  6. VPM-01_A06 the time within which to correct system flaws is specified.
  7. VPM-01_A07 system flaws are corrected within the specified time frame.
  8. VPM-01_A08 time period within which to install security-relevant software updates after the release of the updates is defined.
  9. VPM-01_A09 software updates related to flaw remediation are tested for effectiveness before installation.
  10. VPM-01_A10 software updates related to flaw remediation are tested for potential side effects before installation.
  11. VPM-01_A11 firmware updates related to flaw remediation are tested for effectiveness before installation.
  12. VPM-01_A12 firmware updates related to flaw remediation are tested for potential side effects before installation.
  13. VPM-01_A13 security-relevant software updates are installed within an organization-defined time period of the release of the updates.
  14. VPM-01_A14 security-relevant firmware updates are installed within an organization-defined time period of the release of the updates.
  15. VPM-01_A15 flaw remediation is incorporated into the organizational configuration management process.
  16. VPM-01_A16 response times to remediate system vulnerabilities are defined.
  17. VPM-01_A17 vulnerability & patch management operations are conducted according to documented policies, standards, procedures and/or other organizational directives.
  18. VPM-01_A18 adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support vulnerability & patch management operations.
  19. VPM-01_A19 responsibility and authority for the performance of vulnerability & patch management-related activities are assigned to designated personnel.
  20. VPM-01_A20 personnel performing vulnerability & patch management-related activities have the skills and knowledge needed to perform their assigned duties.

Evidence Requirements

E-MNT-03 Patch Management

Documented evidence of maintenance activities for systems, applications and services management (e.g., patch management).

Maintenance
E-THR-05 Threat Mitigation

Documented evidence of steps taken to mitigate identified threats.

Threat Management
E-VPM-01 Vulnerability & Patch Management Program (VPMP)

Documented evidence of a Vulnerability & Patch Management Program (VPMP). This is program-level documentation in the form of a runbook, playbook or a similar format provides guidance on organizational practices that support existing policies and standards.

Vulnerability & Patch Management

Technology Recommendations

Micro/Small

  • Third-party advisors (e.g., virtual CISO, Managed Security Services Provider (MSSP), etc.)

Small

  • Third-party advisors (e.g., virtual CISO, Managed Security Services Provider (MSSP), etc.)

Medium

  • Vulnerability & Patch Management Program

Large

  • Vulnerability & Patch Management Program

Enterprise

  • Vulnerability & Patch Management Program

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free