Skip to main content

VPM-05: Software & Firmware Patching

VPM 10 — Critical Protect

Mechanisms exist to conduct software patching for all deployed Technology Assets, Applications and/or Services (TAAS), including firmware.

Control Question: Does the organization conduct software patching for all deployed systems, applications and firmware?

General (54)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC8.1-POF14 CC8.1-POF16
CIS CSC 8.1 7.3 7.4 12.1 18.3
CIS CSC 8.1 IG1 7.3 7.4 12.1
CIS CSC 8.1 IG2 7.3 7.4 12.1 18.3
CIS CSC 8.1 IG3 7.3 7.4 12.1 18.3
CSA CCM 4 UEM-07
CSA IoT SCF 2 CCM-07 CLS-06 SAP-05 VLN-01
GovRAMP Core SI-02 SI-03
GovRAMP Low SI-02 SI-03
GovRAMP Low+ SI-02 SI-03
GovRAMP Moderate SI-02 SI-03
GovRAMP High SI-02 SI-03
IEC 62443-4-2 2019 HDR 3.10 (14.5.1) NDR 3.10 (15.7.1)
ISO 27002 2022 8.8
ISO 27017 2015 12.6.1
MPA Content Security Program 5.1 TS-4.2
NIST 800-53 R4 SI-2 SI-3(2)
NIST 800-53 R4 (low) SI-2
NIST 800-53 R4 (moderate) SI-2 SI-3(2)
NIST 800-53 R4 (high) SI-2 SI-3(2)
NIST 800-53 R5 (source) SI-2 SI-2(4) SI-3
NIST 800-53B R5 (low) (source) SI-2 SI-3
NIST 800-53B R5 (moderate) (source) SI-2 SI-3
NIST 800-53B R5 (high) (source) SI-2 SI-3
NIST 800-53 R5 (NOC) (source) SI-2(4)
NIST 800-82 R3 LOW OT Overlay SI-2 SI-3
NIST 800-82 R3 MODERATE OT Overlay SI-2 SI-3
NIST 800-82 R3 HIGH OT Overlay SI-2 SI-3
NIST 800-161 R1 SI-2 SI-3
NIST 800-161 R1 C-SCRM Baseline SI-2 SI-3
NIST 800-161 R1 Flow Down SI-2 SI-3
NIST 800-161 R1 Level 2 SI-2 SI-3
NIST 800-161 R1 Level 3 SI-2 SI-3
NIST 800-171 R2 (source) 3.11.3 3.14.1
NIST 800-171 R3 (source) 03.11.02.b 03.12.02.a.02 03.14.01.a 03.14.01.b
NIST 800-171A R3 (source) A.03.11.02.b A.03.14.01.ODP[01] A.03.14.01.ODP[02] A.03.14.01.a[01] A.03.14.01.a[02] A.03.14.01.a[03] A.03.14.01.b[01] A.03.14.01.b[02]
NIST CSF 2.0 (source) PR.PS-02
OWASP Top 10 2021 A06:2021
PCI DSS 4.0.1 (source) 6.3.3
PCI DSS 4.0.1 SAQ A (source) 6.3.3
PCI DSS 4.0.1 SAQ A-EP (source) 6.3.3
PCI DSS 4.0.1 SAQ B-IP (source) 6.3.3
PCI DSS 4.0.1 SAQ C (source) 6.3.3
PCI DSS 4.0.1 SAQ C-VT (source) 6.3.3
PCI DSS 4.0.1 SAQ D Merchant (source) 6.3.3
PCI DSS 4.0.1 SAQ D Service Provider (source) 6.3.3
Shared Assessments SIG 2025 N.4
SPARTA CM0010
SWIFT CSF 2023 2.2
SCF CORE Fundamentals VPM-05
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) VPM-05
SCF CORE ESP Level 1 Foundational VPM-05
SCF CORE ESP Level 2 Critical Infrastructure VPM-05
SCF CORE ESP Level 3 Advanced Threats VPM-05
US (36)
Framework Mapping Values
US CERT RMM 1.2 TM:SG4.SP2 VAR:SG2.SP2 VAR:SG2.SP3 VAR:SG3.SP1 VAR:SG4.SP1
US CJIS Security Policy 5.9.3 (source) SI-2 SI-3
US CMMC 2.0 Level 1 (source) SI.L1-B.1.XII
US CMMC 2.0 Level 2 (source) RA.L2-3.11.3 SI.L2-3.14.1
US CMMC 2.0 Level 3 (source) RA.L2-3.11.3
US CMS MARS-E 2.0 SI-2 SI-3(2)
US DoD Zero Trust Execution Roadmap 2.5
US DHS CISA TIC 3.0 3.UNI.PMANA
US DHS ZTCF EPM-02
US FAR 52.204-21 52.204-21(b)(1)(xii)
US FCA CRM 609.930(c)(2)
US FedRAMP R4 SI-2 SI-3(2)
US FedRAMP R4 (low) SI-2
US FedRAMP R4 (moderate) SI-2 SI-3(2)
US FedRAMP R4 (high) SI-2 SI-3(2)
US FedRAMP R4 (LI-SaaS) SI-2
US FedRAMP R5 (source) SI-2 SI-3(2)
US FedRAMP R5 (low) (source) SI-2
US FedRAMP R5 (moderate) (source) SI-2 SI-3(2)
US FedRAMP R5 (high) (source) SI-2 SI-3(2)
US FedRAMP R5 (LI-SaaS) (source) SI-2
US HIPAA HICP Small Practice 2.S.A 7.S.A
US HIPAA HICP Medium Practice 2.M.A 7.M.D
US HIPAA HICP Large Practice 2.M.A 7.M.D
US IRS 1075 SI-2 SI-2(4) SI-3
US NERC CIP 2024 (source) CIP-007-6 1.3 CIP-007-6 2.3
US NISPOM 2020 8-311 8-610
US NNPI (unclass) 9.1 17.1
US TSA / DHS 1580/82-2022-01 III.E III.E.1
US - CA CCPA 2025 7123(c)(5)(A) 7123(c)(5)(D)
US - MA 201 CMR 17.00 17.04(6)
US - OR 646A 622(2)(d)(B)(iii)
US - TX DIR Control Standards 2.0 SI-2 SI-3
US - TX TX-RAMP Level 1 SI-2
US - TX TX-RAMP Level 2 SI-2 SI-3(2)
US - VT Act 171 of 2018 2447(c)(7)
EMEA (11)
Framework Mapping Values
EMEA EU DORA 9.4(f)
EMEA EU NIS2 Annex 6.6.1(a)
EMEA Germany C5 2020 PSS-03
EMEA Israel CDMO 1.0 12.21
EMEA Saudi Arabia CSCC-1 2019 2-3-1-3
EMEA Saudi Arabia IoT CGIoT-1 2024 2-4-6 2-9-2
EMEA Saudi Arabia ECC-1 2018 2-3-3-3 2-10-3-4 5-1-3-9
EMEA Saudi Arabia OTCC-1 2022 2-3-1-3 2-4-1-15
EMEA Saudi Arabia SACS-002 TPC-11 TPC-78
EMEA UK Cyber Essentials 5
EMEA UK DEFSTAN 05-138 2402 2405
APAC (10)
Framework Mapping Values
APAC Australia Essential 8 ML1-P1 ML1-P2 ML2-P1 ML2-P2 ML3-P1 ML3-P2
APAC Australia ISM June 2024 ISM-1143 ISM-1493 ISM-1690 ISM-1691 ISM-1692 ISM-1693 ISM-1694 ISM-1695 ISM-1696 ISM-1697 ISM-1751
APAC Australia Prudential Standard CPS234 21
APAC India SEBI CSCRF PR.MA.S3
APAC Japan ISMAP 12.6.1 12.6.1.18.PB
APAC New Zealand HISF 2022 HHSP19 HML19 HSUP17
APAC New Zealand HISF Suppliers 2023 HSUP17
APAC New Zealand NZISM 3.6 23.2.19.C.01
APAC Singapore Cyber Hygiene Practice 4.2(a) 4.2(b)
APAC Singapore MAS TRM 2021 7.4.1 7.4.2
Americas (4)
Framework Mapping Values
Americas Bermuda BMACCC 6.16
Americas Canada CSAG 4.5 4.7 4.9
Americas Canada OSFI B-13 2.6 2.6.1 3.2.6
Americas Canada ITSP-10-171 03.11.02.B 03.12.02.A.02 03.14.01.A 03.14.01.B

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to conduct software patching for all deployed Technology Assets, Applications and/or Services (TAAS), including firmware.

Level 1 — Performed Informally

Vulnerability & Patch Management (VPM) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Attack Surface Management (ASM) is decentralized.
  • IT personnel apply software patches through an informal process.
  • Occasional vulnerability scanning is conducted on High Value Assets (HVAs).
Level 2 — Planned & Tracked

Vulnerability & Patch Management (VPM) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls to address applicable statutory, regulatory and contractual requirements for ASM. o Apply software patches and other vulnerability remediation efforts.

  • Attack Surface Management (ASM) is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel:
  • Administrative processes and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.
Level 3 — Well Defined

Vulnerability & Patch Management (VPM) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Defines the scope of ASM activities. o Provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data with regards to ASM. o Provides oversight of ASM activities to centrally manage the flaw remediation process as part of the organization's overall Patch& Vulnerability & Patch Management Program (VPMP). o Manages the identification, tracking and remediation of vulnerabilities. o Utilizes a Security Incident Event monitor (SIEM), or similar automated tool, to monitor for unauthorized activities, accounts, connections, devices and software according to organization-specific Indicators of Compromise (IoC), including feeds from applications, hosts, network devices and vulnerability scanners.

  • An IT Asset Management (ITAM) function, or similar function, categorizes devices according to the data the asset stores, transmits and/ or processes and applies the appropriate technology controls to protect the asset and data.
  • A Governance, Risk & Compliance (GRC) function, or similar function:
  • A Security Operations Center (SOC), or similar function:
  • Asset custodians install the latest stable version of security-related updates on all systems within the organization-defined time requirements.
Level 4 — Quantitatively Controlled

Vulnerability & Patch Management (VPM) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
  • Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
  • Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
  • Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
  • Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
  • Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving

Vulnerability & Patch Management (VPM) efforts are “world-class” capabilities that leverage predictive analysis (e.g., machine learning, AI, etc.). In addition to CMM Level 4 criteria, CMM Level 5 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions.
  • Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes.

Assessment Objectives

  1. VPM-05_A01 the time period within which to install security-relevant software updates after the release of the updates is defined.
  2. VPM-05_A02 system flaws are identified.
  3. VPM-05_A03 automated patch management tools are employed to facilitate flaw remediation to components.
  4. VPM-05_A04 system flaws are corrected.
  5. VPM-05_A05 system flaws are reported.
  6. VPM-05_A06 software updates related to flaw remediation are tested for effectiveness before installation.
  7. VPM-05_A07 software updates related to flaw remediation are tested for potential side effects before installation.
  8. VPM-05_A08 firmware updates related to flaw remediation are tested for effectiveness before installation.
  9. VPM-05_A09 firmware updates related to flaw remediation are tested for potential side effects before installation.
  10. VPM-05_A10 security-relevant software updates are installed within an organization-defined time period of the release of the updates.
  11. VPM-05_A11 security-relevant firmware updates are installed within an organization-defined time period of the release of the updates.
  12. VPM-05_A12 flaw remediation is incorporated into the organizational configuration management process.
  13. VPM-05_A13 the system components requiring automated patch management tools to facilitate flaw remediation are defined.
  14. VPM-05_A14 the time period within which to install security-relevant firmware updates after the release of the updates is defined.
  15. VPM-05_A15 system vulnerabilities are remediated within <A.03.11.02.ODP[03]: response times>.
  16. VPM-05_A16 security-relevant software updates are installed within <A.03.14.01.ODP[01]: time period> of the release of the updates.
  17. VPM-05_A17 security-relevant firmware updates are installed within <A.03.14.01.ODP[02]: time period> of the release of the updates.

Evidence Requirements

E-MNT-03 Patch Management

Documented evidence of maintenance activities for systems, applications and services management (e.g., patch management).

Maintenance
E-VPM-10 Applicable Flaws & Vulnerabilities

Documented evidence of flaws and vulnerabilities potentially affecting a specific system, application and/or service.

Vulnerability Management

Technology Recommendations

Micro/Small

  • ManageEngine Endpoint Central (https://manageengine.com)

Small

  • ManageEngine Endpoint Central (https://manageengine.com)

Medium

  • ManageEngine Endpoint Central (https://manageengine.com)

Large

  • ManageEngine Endpoint Central (https://manageengine.com)

Enterprise

  • ManageEngine Endpoint Central (https://manageengine.com)

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free