NIST 800-171 • LEVEL 2 • SYSTEM AND INFORMATION INTEGRITY

3.14.3Security Alerts, Advisories, and Directives

Receive system security alerts, advisories, and directives from external organizations on an ongoing basis. Generate and disseminate internal system security alerts, advisories, and directives, as necessary.

CMMC Practice Mapping

NIST 800-53 Controls

SI-3

Assessment Objectives

  • system security alerts, advisories, and directives from external organizations are received on an ongoing basis.
  • internal security alerts, advisories, and directives are generated, as necessary.
  • internal security alerts, advisories, and directives are disseminated, as necessary.

Practitioner Notes

You need a way to stay informed about new vulnerabilities and threats that could affect your systems. This means subscribing to official sources and having a process to review and act on what you learn.

Example 1: Subscribe to CISA's Known Exploited Vulnerabilities (KEV) catalog alerts at cisa.gov and US-CERT's National Cyber Awareness System mailing list. When a new advisory drops that affects software in your environment -- say, a critical Exchange Server vulnerability -- triage it within 48 hours and initiate patching per your POA&M process.

Example 2: Enable Microsoft 365 Message Center notifications in the M365 admin center (Health > Message center) and set up email notifications for security-related posts. Also subscribe to vendor-specific security bulletins -- for example, Cisco's Security Advisories or Palo Alto's Security Advisory page -- for any network hardware in your environment.

The key is having a named person or team responsible for reviewing these alerts weekly and deciding what action to take.

Related NIST 800-171 Requirements

3.14.1 Flaw Remediation 3.14.2 Malicious Code Protection 3.14.4 Update Malicious Code Protection Mechanisms When New Releases Are Available 3.14.5 Perform Periodic Scans of Organizational Systems and Real-Time Scans of Files from External Sources