Continuous Vulnerability Management
Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise's infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.
Why Is This Control Critical?
Cyber defenders are constantly being challenged by attackers who are looking for vulnerabilities within their infrastructure to exploit and gain access. Defenders must have timely threat information available to them about: software updates, patches, security advisories, threat bulletins, etc., and they should regularly review their environment to identify these vulnerabilities before the attackers do. Understanding and managing vulnerabilities is a continuous activity, requiring focus of time, attention, and resources.
Related Policy Templates
Safeguards (7)
| ID | Title | Function | IG | Checklist Items | Evidence |
|---|---|---|---|---|---|
| 7.1 | Establish and Maintain a Vulnerability Management Process | Protect |
IG1
IG2
IG3
|
8 | 5 |
| 7.2 | Establish and Maintain a Remediation Process | Respond |
IG1
IG2
IG3
|
5 | 3 |
| 7.3 | Perform Automated Operating System Patch Management | Protect |
IG1
IG2
IG3
|
5 | 3 |
| 7.4 | Perform Automated Application Patch Management | Protect |
IG1
IG2
IG3
|
5 | 3 |
| 7.5 | Perform Automated Vulnerability Scans of Internal Enterprise Assets | Identify |
IG2
IG3
|
8 | 5 |
| 7.6 | Perform Automated Vulnerability Scans of Externally>Exposed Enterprise Assets | Identify |
IG2
IG3
|
8 | 5 |
| 7.7 | Remediate Detected Vulnerabilities | Respond |
IG2
IG3
|
8 | 5 |
Audit Verification Details
Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Vulnerability scans cover all in-scope assets and run at the defined frequency.
Scan reports with scope and schedule evidence
Changes to protection controls follow the change management process.
Change tickets, approval records
Vulnerabilities are remediated within defined SLAs by severity.
Remediation tracking with SLA compliance metrics
Exceptions and risk acceptances are documented and approved.
Exception/waiver records with management sign-off
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | Vulnerability scan reports showing scope and findings | Per scan cycle |
| Record | Vulnerability remediation tracking with SLA compliance metrics | Monthly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Response procedures and playbooks are documented and current.
Response playbooks with review dates
Response procedures have been exercised through tabletop or simulation within the past 12 months.
Exercise reports, participant sign-off, lessons learned
Incident response actions are logged and tracked to completion.
Incident tickets, action item tracking, post-incident reviews
| Type | Evidence Item | Frequency |
|---|---|---|
| Document | Response procedure/playbook documentation | Reviewed bi-annually |
| Record | Response action logs showing procedure execution | Per incident |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Perform operating system updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Changes to protection controls follow the change management process.
Change tickets, approval records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Changes to protection controls follow the change management process.
Change tickets, approval records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Vulnerability scans cover all in-scope assets and run at the defined frequency.
Scan reports with scope and schedule evidence
An inventory or catalog is maintained, accurate, and complete.
Inventory export with timestamps showing recent updates
Inventory is reviewed and reconciled on the defined schedule.
Review meeting minutes, sign-off records, or change logs
New assets/items are added to the inventory within the defined onboarding window.
Sample of recently onboarded assets with inventory timestamps
Vulnerabilities are remediated within defined SLAs by severity.
Remediation tracking with SLA compliance metrics
Exceptions and risk acceptances are documented and approved.
Exception/waiver records with management sign-off
| Type | Evidence Item | Frequency |
|---|---|---|
| Document | Current inventory or catalog documentation | Maintained continuously, reviewed quarterly |
| Document | Process/procedure documentation for identification activities | Reviewed annually |
| Technical | Vulnerability scan reports showing scope and findings | Per scan cycle |
| Record | Vulnerability remediation tracking with SLA compliance metrics | Monthly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Vulnerability scans cover all in-scope assets and run at the defined frequency.
Scan reports with scope and schedule evidence
An inventory or catalog is maintained, accurate, and complete.
Inventory export with timestamps showing recent updates
Inventory is reviewed and reconciled on the defined schedule.
Review meeting minutes, sign-off records, or change logs
New assets/items are added to the inventory within the defined onboarding window.
Sample of recently onboarded assets with inventory timestamps
Vulnerabilities are remediated within defined SLAs by severity.
Remediation tracking with SLA compliance metrics
Exceptions and risk acceptances are documented and approved.
Exception/waiver records with management sign-off
| Type | Evidence Item | Frequency |
|---|---|---|
| Document | Current inventory or catalog documentation | Maintained continuously, reviewed quarterly |
| Document | Process/procedure documentation for identification activities | Reviewed annually |
| Technical | Vulnerability scan reports showing scope and findings | Per scan cycle |
| Record | Vulnerability remediation tracking with SLA compliance metrics | Monthly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Response procedures and playbooks are documented and current.
Response playbooks with review dates
Vulnerability scans cover all in-scope assets and run at the defined frequency.
Scan reports with scope and schedule evidence
Response procedures have been exercised through tabletop or simulation within the past 12 months.
Exercise reports, participant sign-off, lessons learned
Incident response actions are logged and tracked to completion.
Incident tickets, action item tracking, post-incident reviews
Vulnerabilities are remediated within defined SLAs by severity.
Remediation tracking with SLA compliance metrics
Exceptions and risk acceptances are documented and approved.
Exception/waiver records with management sign-off
| Type | Evidence Item | Frequency |
|---|---|---|
| Document | Response procedure/playbook documentation | Reviewed bi-annually |
| Record | Response action logs showing procedure execution | Per incident |
| Technical | Vulnerability scan reports showing scope and findings | Per scan cycle |
| Record | Vulnerability remediation tracking with SLA compliance metrics | Monthly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |