VPM-02: Vulnerability Remediation Process
Mechanisms exist to ensure that vulnerabilities are properly identified, tracked and remediated.
Control Question: Does the organization ensure that vulnerabilities are properly identified, tracked and remediated?
General (42)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC4.2 CC5.3-POF4 CC7.4-POF8 |
| CIS CSC 8.1 | 7.2 7.7 |
| CIS CSC 8.1 IG1 | 7.2 |
| CIS CSC 8.1 IG2 | 7.2 7.7 |
| CIS CSC 8.1 IG3 | 7.2 7.7 |
| COBIT 2019 | DSS03.01 DSS03.02 DSS03.03 DSS03.04 DSS03.05 DSS06.04 MEA01.05 |
| COSO 2017 | Principle 17 |
| CSA CCM 4 | AIS-07 TVM-03 |
| CSA IoT SCF 2 | CLS-06 VLN-02 VLN-04 |
| ISO/SAE 21434 2021 | RQ-08-07.b RQ-08-08 RQ-09-04 RQ-09-07.a RQ-09-07.b RQ-09-07.c RQ-09-07.d RQ-15-17.a RQ-15-17.b RQ-15-17.c RQ-15-17.d |
| ISO 27002 2022 | 8.8 |
| ISO 27017 2015 | 12.6.1 |
| ISO 42001 2023 | 10.2 10.2(a) 10.2(a)(1) 10.2(a)(2) 10.2(b) 10.2(b)(1) 10.2(b)(2) 10.2(b)(3) 10.2(c) 10.2(d) 10.2(e) |
| MPA Content Security Program 5.1 | TS-4.0 |
| NIST 800-53 R4 | PM-4 SC-18(1) |
| NIST 800-53 R5 (source) | PM-4 SC-18(1) |
| NIST 800-53 R5 (NOC) (source) | PM-4 SC-18(1) |
| NIST 800-161 R1 | PM-4 |
| NIST 800-161 R1 Level 2 | PM-4 |
| NIST 800-161 R1 Level 3 | PM-4 |
| NIST 800-171 R2 (source) | 3.14.1 |
| NIST 800-171A (source) | 3.11.3[a] 3.11.3[b] |
| NIST 800-171 R3 (source) | 03.11.02.b 03.12.02.a.02 03.14.01.a |
| NIST 800-171A R3 (source) | A.03.11.02.ODP[03] |
| NIST 800-218 | RV.2.2 |
| NIST CSF 2.0 (source) | ID.RA-08 PR.PS-02 |
| OWASP Top 10 2021 | A05:2021 A06:2021 |
| PCI DSS 4.0.1 (source) | 11.3 11.3.1 11.3.1.1 11.3.1.2 11.3.1.3 11.3.2 11.3.2.1 |
| PCI DSS 4.0.1 SAQ A (source) | 11.3.2 11.3.2.1 |
| PCI DSS 4.0.1 SAQ A-EP (source) | 11.3.2 11.3.2.1 |
| PCI DSS 4.0.1 SAQ B-IP (source) | 11.3.2 |
| PCI DSS 4.0.1 SAQ C (source) | 11.3.1 11.3.1.3 11.3.2 11.3.2.1 |
| PCI DSS 4.0.1 SAQ D Merchant (source) | 11.3.1 11.3.1.1 11.3.1.2 11.3.1.3 11.3.2 11.3.2.1 |
| PCI DSS 4.0.1 SAQ D Service Provider (source) | 11.3.1 11.3.1.1 11.3.1.2 11.3.1.3 11.3.2 11.3.2.1 |
| SWIFT CSF 2023 | 2.2 2.7 |
| TISAX ISA 6 | 5.2.5 |
| UL 2900-1 2017 | 7.1 |
| SCF CORE Fundamentals | VPM-02 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | VPM-02 |
| SCF CORE ESP Level 1 Foundational | VPM-02 |
| SCF CORE ESP Level 2 Critical Infrastructure | VPM-02 |
| SCF CORE ESP Level 3 Advanced Threats | VPM-02 |
US (24)
| Framework | Mapping Values |
|---|---|
| US C2M2 2.1 | THREAT-1.G.MIL2 THREAT-1.H.MIL2 THREAT-2.D.MIL1 RISK-2.I.MIL3 |
| US CERT RMM 1.2 | EC:SG3.SP2 EF:SG2.SP1 EF:SG2.SP2 KIM:SG3.SP2 PM:SG2.SP2 RISK:SG5.SP1 TM:SG3.SP2 VAR:SG1.SP2 |
| US CISA CPG 2022 | 1.E 1.F |
| US CMMC 2.0 Level 1 (source) | SI.L1-B.1.XII |
| US CMMC 2.0 Level 2 (source) | SI.L2-3.14.1 |
| US CMS MARS-E 2.0 | PM-4 |
| US DHS CISA SSDAF | 4.b 4.c |
| US DHS ZTCF | CLO-02 EPM-02 |
| US EO 14028 | 4e(iv) 4e(iv) |
| US FAR 52.204-21 | 52.204-21(b)(1)(xii) |
| US HIPAA HICP Small Practice | 2.S.A 7.S.A |
| US HIPAA HICP Medium Practice | 2.M.A 7.M.D |
| US HIPAA HICP Large Practice | 2.M.A 7.M.D 7.L.B |
| US IRS 1075 | PM-4 SC-18(1) |
| US NERC CIP 2024 (source) | CIP-007-6 2.2 CIP-007-6 2.3 CIP-007-6 2.4 |
| US NNPI (unclass) | 9.1 17.1 |
| US NSTC NSPM-33 | 6.11 |
| US SSA EIESR 8.0 | 5.6 |
| US TSA / DHS 1580/82-2022-01 | III.E.2.a III.E.2.b |
| US - CA CCPA 2025 | 7123(c)(5)(D) |
| US - MA 201 CMR 17.00 | 17.03(2)(j) |
| US - NY DFS 23 NYCRR500 2023 Amd 2 | 500.4(b)(6) 500.5(c) |
| US - OR 646A | 622(2)(d)(A)(i) |
| US - TX DIR Control Standards 2.0 | PM-4 |
EMEA (11)
| Framework | Mapping Values |
|---|---|
| EMEA EU NIS2 | 21.4 |
| EMEA EU NIS2 Annex | 6.10.1 6.10.2(c) 6.10.3 |
| EMEA Germany C5 2020 | OPS-18 PSS-02 |
| EMEA Israel CDMO 1.0 | 22.8 22.11 22.13 |
| EMEA Saudi Arabia CSCC-1 2019 | 2-9-1-2 |
| EMEA Saudi Arabia IoT CGIoT-1 2024 | 2-9-1 |
| EMEA Saudi Arabia ECC-1 2018 | 2-10-3-3 5-1-3-8 |
| EMEA Saudi Arabia OTCC-1 2022 | 2-9-1-2 |
| EMEA Saudi Arabia SACS-002 | TPC-11 TPC-91 |
| EMEA UK Cyber Essentials | 5 |
| EMEA UK DEFSTAN 05-138 | 2402 |
APAC (8)
| Framework | Mapping Values |
|---|---|
| APAC Australia Prudential Standard CPS234 | 21 |
| APAC India SEBI CSCRF | PR.MA.S3 |
| APAC Japan ISMAP | 4.7.1 12.6.1 12.6.1.18.PB |
| APAC New Zealand HISF 2022 | HHSP19 HHSP59 HML19 HML59 HSUP17 HSUP51 |
| APAC New Zealand HISF Suppliers 2023 | HSUP17 HSUP51 |
| APAC New Zealand NZISM 3.6 | 6.2.6.C.01 23.2.19.C.01 |
| APAC Singapore Cyber Hygiene Practice | 4.2(a) 4.2(b) |
| APAC Singapore MAS TRM 2021 | 13.6.1(a) 13.6.1(b) 13.6.1(c) |
Americas (3)
| Framework | Mapping Values |
|---|---|
| Americas Canada CSAG | 2.7 |
| Americas Canada OSFI B-13 | 2.6 |
| Americas Canada ITSP-10-171 | 03.11.02.B 03.12.02.A.02 03.14.01.A |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to ensure that vulnerabilities are properly identified, tracked and remediated.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to ensure that vulnerabilities are properly identified, tracked and remediated.
Level 2 — Planned & Tracked
Vulnerability & Patch Management (VPM) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls to address applicable statutory, regulatory and contractual requirements for ASM. o Apply software patches and other vulnerability remediation efforts.
- Attack Surface Management (ASM) is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel:
- Administrative processes and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.
Level 3 — Well Defined
Vulnerability & Patch Management (VPM) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Defines the scope of ASM activities. o Provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data with regards to ASM. o Provides oversight of ASM activities to centrally manage the flaw remediation process as part of the organization's overall Patch& Vulnerability & Patch Management Program (VPMP). o Manages the identification, tracking and remediation of vulnerabilities. o Utilizes a Security Incident Event monitor (SIEM), or similar automated tool, to monitor for unauthorized activities, accounts, connections, devices and software according to organization-specific Indicators of Compromise (IoC), including feeds from applications, hosts, network devices and vulnerability scanners.
- An IT Asset Management (ITAM) function, or similar function, categorizes devices according to the data the asset stores, transmits and/ or processes and applies the appropriate technology controls to protect the asset and data.
- A Governance, Risk & Compliance (GRC) function, or similar function:
- A Security Operations Center (SOC), or similar function:
- Asset custodians install the latest stable version of security-related updates on all systems within the organization-defined time requirements.
Level 4 — Quantitatively Controlled
Vulnerability & Patch Management (VPM) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
- Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
- Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
- Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
- Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
- Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving
Vulnerability & Patch Management (VPM) efforts are “world-class” capabilities that leverage predictive analysis (e.g., machine learning, AI, etc.). In addition to CMM Level 4 criteria, CMM Level 5 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions.
- Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes.
Assessment Objectives
- VPM-02_A01 vulnerabilities are identified.
- VPM-02_A02 response times to remediate system vulnerabilities are defined.
- VPM-02_A03 vulnerabilities are remediated in accordance with risk assessments.
Evidence Requirements
- E-RSK-03 Plan of Actions & Milestones (POA&M) / Risk Register
-
Documented evidence of a POA&M, or risk register, that tracks control deficiencies from identification through remediation.
Risk Management - E-RSK-04 Cybersecurity Risk Assessment (RA)
-
Documented evidence of a cybersecurity-specific risk assessment.
Risk Management - E-VPM-01 Vulnerability & Patch Management Program (VPMP)
-
Documented evidence of a Vulnerability & Patch Management Program (VPMP). This is program-level documentation in the form of a runbook, playbook or a similar format provides guidance on organizational practices that support existing policies and standards.
Vulnerability & Patch Management - E-VPM-09 Flaw Remediation Actions
-
Documented evidence of list of recent security flaw remediation actions performed on the system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct system flaws).
Vulnerability Management