Providing Continuous Compliance for the Confidentiality, Integrity, and Availability of our customer's systems and applications
Automated Flaw Remediation Status
Time to Remediate Flaws and Benchmarks for Corrective Actions
Software, Firmware, and Information Integrity
Automated Notifications of Integrity Violations
Centrally Managed Integrity Tools
Automation Support for Accuracy and Concurrency
Configuration Change Control
Automated Security Response
Predictable Failure Prevention
Identify, report, and correct system flaws
Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation
Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates
Incorporate flaw remediation into the organizational configuration management process
Determine if system components have applicable security relevant software and firmware updates installed using automated mechanisms with a defined frequency
Measure the time between flaw identification and flaw remediation
Establish benchmarks for taking corrective actions
Employ integrity verification tools to detect unauthorized changes to software, firmware, and information.
Take actions when unauthorized changes to the software, firmware, and information are detected.
Perform an integrity check of organization-defined software, firmware, and information at startup; during transitional states, during security-relevant events, or at a set frequency.
Employ automated tools that provide notification to [Assignment: organization-defined personnel or roles] upon discovering discrepancies during integrity verification.
Employ centrally managed integrity verification tools.
Develop, document, and maintain under configuration control, a current baseline configuration of the system
Review and update the baseline configuration of the system when required; at a defined frequency, due to organization-defined circumstances, or when system components are installed or upgraded.
Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using organization-defined automated mechanisms.
Determine and document the types of changes to the system that are configuration-controlled.
Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses.
Document configuration change decisions associated with the system.
Implement approved configuration -controlled changes to the system.
Retain records of configuration-controlled changes to the system for organization-defined time period.
Monitor and review activities associated with configuration-controlled changes to the system.
Coordinate and provide oversight for configuration change control activities through organization-defined configuration change control frequency or change conditions.
Implement security responses automatically if baseline configurations are changed in an unauthorized manner
Centrally manage organization-defined controls and related processes.
Determine mean time to failure (MTTF) for organization-defined system components in specific environments of operation.
Provide substitute system components and a means to exchange active and standby components in accordance with the organization-defined MTTF substitution criteria.