Skip to main content
NetStable
Level 2 RA.L2-3.11.3

Remediate vulnerabilities in accordance with risk assessments

What It Means Why It Matters How to Implement Evidence SSP Guidance Assessment Common Mistakes

📖 What This Means

This control requires organizations to fix identified vulnerabilities based on the severity and risk they pose to the organization. It means that once vulnerabilities are found through scans or assessments, they must be prioritized and addressed in a timely manner to reduce the risk of exploitation. For example, a critical vulnerability in a server that could allow unauthorized access should be patched immediately, while a low-risk issue in a non-critical system might be scheduled for a later date. The goal is to ensure that systems and data are protected from potential threats by systematically addressing weaknesses.

🎯 Why It Matters

Unremediated vulnerabilities can be exploited by attackers, leading to data breaches, system compromises, and significant financial and reputational damage. For example, the Equifax breach in 2017 was caused by an unpatched vulnerability in a web application, resulting in the exposure of sensitive data for 147 million people. From a DoD/CMMC perspective, this control is critical because defense contractors handle sensitive government information, and failure to remediate vulnerabilities could compromise national security. The potential impact includes loss of contracts, regulatory fines, and damage to trust with government partners.

How to Implement

  1. 1. Use cloud-native vulnerability scanning tools like AWS Inspector, Azure Security Center, or GCP Security Command Center.
  2. 2. Configure automated scans to run weekly on all cloud assets.
  3. 3. Prioritize vulnerabilities based on severity (critical, high, medium, low) using the cloud provider's risk scoring.
  4. 4. Apply patches or mitigation steps (e.g., firewall rules, access restrictions) within 30 days for critical/high risks.
  5. 5. Document remediation actions in a cloud-specific risk register.
  6. 6. Enable continuous monitoring to detect new vulnerabilities.
  7. 7. Regularly review and update cloud security configurations.
⏱️
Estimated Effort
Initial setup: 2-3 days (Intermediate skill). Ongoing: 5-10 hours/month (Basic skill).

📋 Evidence Examples

Vulnerability Scan Report

Format: PDF/Excel
Frequency: Monthly
Contents: List of vulnerabilities, severity, affected assets, and remediation status.
Collection: Export from scanning tool.

Remediation Plan

Format: Word/Excel
Frequency: Updated after each scan
Contents: Timeline, responsible parties, and status of each vulnerability.
Collection: Manually created or generated by scanning tool.

Patch Management Log

Format: Excel/CSV
Frequency: Weekly
Contents: Details of patches applied, dates, and systems affected.
Collection: Generated from patch management software or manually.

Risk Assessment Report

Format: PDF
Frequency: Quarterly
Contents: Risk matrix, prioritized vulnerabilities, and mitigation strategies.
Collection: Manually created.

Rescan Results

Format: PDF/Excel
Frequency: After each remediation
Contents: Post-remediation scan results confirming fixes.
Collection: Export from scanning tool.

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For RA.L2-3.11.3 ("Remediate vulnerabilities in accordance with risk assessments"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe your risk assessment program, including methodology, frequency, vulnerability scanning tools and schedule, insider threat monitoring, and how risk decisions are documented. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"RA.L2-3.11.3 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to remediate vulnerabilities in accordance with risk assessments. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"RA.L2-3.11.3 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to remediate vulnerabilities in accordance with risk assessments. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"RA.L2-3.11.3 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

  • Define the risk assessment scope (CUI systems and supporting infrastructure)
  • Document vulnerability scanning coverage
  • Specify risk register maintenance process
  • Ensure this control covers all systems within your defined CUI boundary where remediate vulnerabilities in accordance with risk assessments applies
  • Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

  • 📄 Risk Assessment Policy
  • 📄 Risk assessment report
  • 📄 Risk register
  • 📄 Vulnerability scan reports
  • 📄 Evidence artifacts specific to RA.L2-3.11.3
  • 📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will review your risk assessment methodology, verify vulnerability scanning frequency and coverage, check that identified risks are tracked in a risk register, and confirm executive risk acceptance decisions are documented.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do you perform regular vulnerability scans across all systems?

✅ YES → Proceed to Q2.
❌ NO → GAP: Implement a vulnerability scanning tool and schedule monthly scans.
Remediation:
1 week

Question 2: Do you classify vulnerabilities by severity and impact?

✅ YES → Proceed to Q3.
❌ NO → GAP: Develop a risk matrix and classify vulnerabilities.
Remediation:
2 days

Question 3: Do you remediate critical vulnerabilities within 7 days?

✅ YES → Proceed to Q4.
❌ NO → GAP: Prioritize critical vulnerabilities and assign resources for immediate remediation.
Remediation:
Ongoing

Question 4: Do you document remediation actions and verify fixes?

✅ YES → Proceed to Q5.
❌ NO → GAP: Create a remediation plan and rescan systems after fixes.
Remediation:
1 week

Question 5: Do you maintain a risk assessment report and update it quarterly?

✅ YES → Compliant.
❌ NO → GAP: Develop a risk assessment report and schedule quarterly updates.
Remediation:
1 month

⚠️ Common Mistakes (What Auditors Flag)

1. Not scanning all systems regularly.

Why this happens: Focusing only on critical systems or forgetting to include new assets.
How to avoid: Automate scans and maintain an updated asset inventory.

2. Failing to prioritize vulnerabilities.

Why this happens: Lack of a risk matrix or understanding of severity.
How to avoid: Use a risk matrix and train staff on vulnerability classification.

3. Delaying critical vulnerability remediation.

Why this happens: Resource constraints or lack of urgency.
How to avoid: Assign dedicated resources and enforce strict timelines.

4. Not verifying fixes after remediation.

Why this happens: Assuming patches work without verification.
How to avoid: Rescan systems after applying patches.

5. Incomplete documentation.

Why this happens: Focusing only on technical fixes and neglecting reporting.
How to avoid: Use templates for remediation plans and scan reports.

📚 Parent Policy

This practice is governed by the Risk Assessment Policy

View RA Policy →

📚 Related Controls

RA.L1-3.11.1 (Perform vulnerability scans) RA.L2-3.11.2 (Develop remediation plans) SI.L1-3.14.4 (Patch management) SI.L2-3.14.7 (Continuous monitoring)
Previous
RA.L2-3.11.2
Back to RA
Next
SC.L1-3.13.1