SA-12(15) — Processes to Address Weaknesses or Deficiencies

Establish processes to address weaknesses and deficiencies found in supply chain components after they are deployed. This includes vulnerability management for vendor-supplied products and processes for handling recalls or advisories.

Example 1: Subscribe to security advisories from all your hardware and software vendors. When a vulnerability is disclosed in a vendor product, assess its applicability to your environment, determine the risk, and patch or mitigate within defined timelines based on severity.

Example 2: Maintain a process for handling vendor product recalls or emergency advisories. When CISA issues an Emergency Directive affecting a product in your environment, have a documented process for rapid assessment, mitigation, and reporting — including notifying leadership and updating your risk register.