last sync: 2024-Nov-25 18:54:24 UTC

Measure the time between flaw identification and flaw remediation | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Measure the time between flaw identification and flaw remediation
Id dad1887d-161b-7b61-2e4d-5124a7b5724e
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_C1674 - Measure the time between flaw identification and flaw remediation
Additional metadata Name/Id: CMA_C1674 / CMA_C1674
Category: Operational
Title: Measure the time between flaw identification and flaw remediation
Ownership: Customer
Description: The customer is responsible for remediating flaws within customer-deployed resources, including measuring the time between flaw identification and flaw remediation.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 6 compliance controls are associated with this Policy definition 'Measure the time between flaw identification and flaw remediation' (dad1887d-161b-7b61-2e4d-5124a7b5724e)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 SI-2(3) FedRAMP_High_R4_SI-2(3) FedRAMP High SI-2 (3) System And Information Integrity Time To Remediate Flaws / Benchmarks For Corrective Actions Shared n/a The organization: (a) Measures the time between flaw identification and flaw remediation; and (b) Establishes [Assignment: organization-defined benchmarks] for taking corrective actions. Supplemental Guidance: This control enhancement requires organizations to determine the current time it takes on the average to correct information system flaws after such flaws have been identified, and subsequently establish organizational benchmarks (i.e., time frames) for taking corrective actions. Benchmarks can be established by type of flaw and/or severity of the potential vulnerability if the flaw can be exploited. link 2
FedRAMP_Moderate_R4 SI-2(3) FedRAMP_Moderate_R4_SI-2(3) FedRAMP Moderate SI-2 (3) System And Information Integrity Time To Remediate Flaws / Benchmarks For Corrective Actions Shared n/a The organization: (a) Measures the time between flaw identification and flaw remediation; and (b) Establishes [Assignment: organization-defined benchmarks] for taking corrective actions. Supplemental Guidance: This control enhancement requires organizations to determine the current time it takes on the average to correct information system flaws after such flaws have been identified, and subsequently establish organizational benchmarks (i.e., time frames) for taking corrective actions. Benchmarks can be established by type of flaw and/or severity of the potential vulnerability if the flaw can be exploited. link 2
hipaa 0713.10m2Organizational.5-10.m hipaa-0713.10m2Organizational.5-10.m 0713.10m2Organizational.5-10.m 07 Vulnerability Management 0713.10m2Organizational.5-10.m 10.06 Technical Vulnerability Management Shared n/a Patches are tested and evaluated before they are installed. 5
hipaa 0787.10m2Organizational.14-10.m hipaa-0787.10m2Organizational.14-10.m 0787.10m2Organizational.14-10.m 07 Vulnerability Management 0787.10m2Organizational.14-10.m 10.06 Technical Vulnerability Management Shared n/a Patches installed in the production environment are also installed in the organization's disaster recovery environment in a timely manner. 4
NIST_SP_800-53_R4 SI-2(3) NIST_SP_800-53_R4_SI-2(3) NIST SP 800-53 Rev. 4 SI-2 (3) System And Information Integrity Time To Remediate Flaws / Benchmarks For Corrective Actions Shared n/a The organization: (a) Measures the time between flaw identification and flaw remediation; and (b) Establishes [Assignment: organization-defined benchmarks] for taking corrective actions. Supplemental Guidance: This control enhancement requires organizations to determine the current time it takes on the average to correct information system flaws after such flaws have been identified, and subsequently establish organizational benchmarks (i.e., time frames) for taking corrective actions. Benchmarks can be established by type of flaw and/or severity of the potential vulnerability if the flaw can be exploited. link 2
NIST_SP_800-53_R5 SI-2(3) NIST_SP_800-53_R5_SI-2(3) NIST SP 800-53 Rev. 5 SI-2 (3) System and Information Integrity Time to Remediate Flaws and Benchmarks for Corrective Actions Shared n/a (a) Measure the time between flaw identification and flaw remediation; and (b) Establish the following benchmarks for taking corrective actions: [Assignment: organization-defined benchmarks]. link 2
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add dad1887d-161b-7b61-2e4d-5124a7b5724e
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC