RV.2.2—Plan and implement risk responses for vulnerabilities.
RV.2
>Control Description
Plan and implement risk responses for vulnerabilities.
>Practice: RV.2
Assess, Prioritize, and Remediate Vulnerabilities
Help ensure that vulnerabilities are remediated in accordance with risk to reduce the window of opportunity for attackers.
>Notional Implementation Examples
- 1.Make a risk-based decision as to whether each vulnerability will be remediated or if the risk will be addressed through other means (e.g., risk acceptance, risk transference), and prioritize any actions to be taken.
- 2.If a permanent mitigation for a vulnerability is not yet available, determine how the vulnerability can be temporarily mitigated until the permanent solution is available, and add that temporary remediation to the plan.
- 3.Develop and release security advisories that provide the necessary information to software acquirers, including descriptions of what the vulnerabilities are, how to find instances of the vulnerable software, and how to address them (e.g., where to get patches and what the patches change in the software; what configuration settings may need to be changed; how temporary workarounds could be implemented).
- 4.Deliver remediations to acquirers via an automated and trusted delivery mechanism. A single remediation could address multiple vulnerabilities.
- 5.Update records of design decisions, risk responses, and approved exceptions as needed. See PW.1.2.
>Cross-Framework References
Mappings to related frameworks and standards from NIST SP 800-218
BSA FSS
VM.1-1
VM-2
BSIMM
CMVM2.1
EO 14028
4e(iv)
4e(vi)
4e(viii)
4e(ix)
IEC 62443
DM-4
ISO 30111
7.1.4
7.1.5
NIST Labels
2.2.2.2
PCI SSLC
4.1
4.2
10.1
SAFECode Agile
Operational Security Task 2
SAFECode FPSSD
Fix the Vulnerability
Identify Mitigating Factors or Workarounds
SAFECode TPC
MITIGATE
SP 800-160
3.3.8
SP 800-161
SA-5
SA-8
SA-10
SA-11
SA-15(7)
SP 800-181 (NICE)
T0163
T0229
T0264
K0009
K0070
Ask AI
Configure your API key to use AI features.