In this entry, we move into the final Domain for Level 1, System and Information Integrity (SI). This domain ensures that technology assets (e.g., desktops, software) that contain CUI are continuously monitored to detect violations of the authorized security state. Additionally, electronic mail (email), a common attack vector, is monitored and protected to detect malicious activity.  There are four practices within this domain, falling under 2 capabilities.  This first Practice, SI.1.210: Identify, Report and Correct Information and Information Flaws in a Timely Manner, comes under the Capability C040, Identify and Manage Information System Flaws.  This Practice can be found in the CMMC Appendix B on page B-237 (Page 277 of the PDF) and includes the following information:

Discussion from Source: NIST SP 800-171, R2:

Organizations identify systems that are affected by announced software and firmware flaws including potential vulnerabilities resulting from those flaws and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and antivirus signatures. organizations address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations can take advantage of available resources such as the Common Weakness Enumeration (CWE) database or Common Vulnerabilities and Exposures (CVE) database in remediating flaws discovered in organizational systems.

Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types of remediation. NIST SP 800-40 provides guidance on patch management technologies.

CMMC Clarification:

All software and firmware have potential flaws. Many vendors work to reduce those flaws by releasing vulnerability information and updates to their software and firmware. Organizations should have a process to review relevant vendor newsletters with updates about common problems or weaknesses. After reviewing the information the organization should execute a process called patch management that allows for systems to be updated without adversely affecting the organization. Organizations should also purchase support from their vendors to ensure timely access to updates.

Example 

You have many responsibilities at your company, including IT. You know that malware, ransomware, and viruses can be a big problem for companies. You make sure to enable all security updates for your software, including the operating system and applications, and purchase the maintenance packages for new hardware and operating systems.

In our next entry, we will explore the second Practice within the Domain, System and Information Integrity (SI), S.I.211 – Provide protection from malicious code at appropriate locations within organizational information systems.

Until then…

Mark Lupo MBCP, SMP