NIST 800-171 • LEVEL 2 • SYSTEM AND INFORMATION INTEGRITY
3.14.1 — Flaw Remediation
Identify, report, and correct system flaws. Install security-relevant software and firmware updates within {{ insert: param, A.03.14.01.ODP.01 }} of the release of the updates.
CMMC Practice Mapping
Assessment Objectives
- system flaws are identified.
- system flaws are reported.
- system flaws are corrected.
- security-relevant software updates are installed within {{ insert: param, A.03.14.01.ODP.01 }} of the release of the updates.
- security-relevant firmware updates are installed within {{ insert: param, A.03.14.01.ODP.02 }} of the release of the updates.
Practitioner Notes
Flaw remediation is a fancy way of saying "patch your systems." When vendors release security updates, you need to install them promptly. The longer you wait, the more time attackers have to exploit known vulnerabilities.
Example 1: Use Windows Server Update Services (WSUS) or Microsoft Endpoint Configuration Manager (MECM/SCCM) to centrally manage and deploy patches. Configure automatic approval rules for critical and security updates, and set a deployment deadline of 14 days after release. Run the WSUS console report monthly to verify compliance across your fleet.
Example 2: For cloud-managed endpoints, use Microsoft Intune > Devices > Windows updates > Update rings to define patching policies. Create an update ring that defers feature updates by 30 days but installs quality (security) updates within 7 days. Set the compliance deadline so devices that miss the window are automatically forced to restart and apply updates.
Do not forget non-Windows systems. Firmware updates for firewalls, switches, and printers count too -- track these in your asset inventory.