Form name: Vulnerability and Patch Management Policy Form owner: <President/CIO>

Version: 1.0 Last review and approval date: MM/DD/YYYY

Vulnerability and Patch Management Policy

1. Description
Software and firmware vulnerabilities must be constantly managed and mitigated over time as new
vulnerabilities are discovered. The <COMPANY-XYZ> Information Technology (IT) department is
responsible for tracking, remediating, and reporting on vulnerability management for the organization’s
information technology assets. This policy addresses the following cybersecurity domains defined by the
Cybersecurity Maturity Model Certification (CMMC): Maintenance; System and Information Integrity.

2. Purpose
The purpose of the policy is to establish a common understanding of vulnerabilities and patch
management, guide the prioritization of remediation efforts, and provide timelines for each activity. This
policy also describes security requirements for performing information systems maintenance: patching
and vulnerability remediation falls into the category of maintenance, as well as activities like repairing or
replacing systems hardware.

3. Scope
This policy applies to <COMPANY-XYZ> information systems.

The following categories of systems are included in this policy:

 Internally developed software programs used within <COMPANY-XYZ>.
 Firmware, operating systems, and software applications on <COMPANY-XYZ> information
system end-user devices.
 Firmware and operating systems on <COMPANY-XYZ> information system network devices.
 Operating systems and applications on <COMPANY-XYZ> cloud systems which are Platform-
as-a-Service (PaaS) or Infrastructure-as-a-Service (IaaS) model.
 Firmware, operating systems, and software applications on <COMPANY-XYZ-
INFORMATION-SYSYTEM> miscellaneous devices such as printers and video cameras.

4. Vulnerability and Patch Management Requirements and Procedures

4.1. Legacy Systems

a) All software and systems used by <COMPANY-XYZ> for production shall be kept updated to a
version that is supported by the vendor. Support means the vendor provides guidance and updates
to resolve discovered vulnerabilities and functionality issues.
b) Systems that are scheduled for end-of-support by the vendor will be replaced prior to end-of-
support.

This document has been provided to our client for use internal to their Page 1 of 5
legal entity and is not to be redistributed. This document may not be
disclosed to third parties without an executed non-disclosure. agreement.
 Form name: Vulnerability and Patch Management Policy Form owner: <President/CIO>
Version: 1.0 Last review and approval date: MM/DD/YYYY

c) If a system is no longer supported (known as a “legacy” system), and cannot be replaced with a
supported version, it shall be identified and reviewed monthly by the Change Approval Board (CAB)
to determine a course of action.

4.2. Vulnerability Detection

a) The <COMPANY-XYZ> on is responsible for performing vulnerability scans of <COMPANY-XYZ>

assets to identify vulnerabilities in organizational systems and applications at least once every 60
days.
b) Vulnerability scanners should use up-to-date databases of vulnerabilities (updated within the last 30
days).
c) Every device and system within the scope of this policy should be individually scanned for
vulnerabilities. Where this is not possible (such as end-user devices that are traveling), a
representative system with the same baseline configurations should be scanned instead.
d) Vulnerability scanners should be configured to perform a non-disruptive check of network ports and
protocols, operating systems, and installed applications on each system.
e) When new vulnerabilities are identified (such as a government-issued advisory for a system used
within <COMPANY-XYZ>), perform an out-of-schedule vulnerability scan against organizational
systems.

4.3. Automated Patch Management

a) Every end-user device managed by the <COMPANY-XYZ> IT department shall be registered with a
patch management system prior to entering production use.
b) Patch management systems shall perform the following functions:
 Report of patches that have been applied to each device
 Report of relevant patches that have not been applied to each device
 Last check-in date for each device
 Ability to trigger the installation of missing patches

4.4. Prioritization of Issues

a) All security issues that are discovered shall be mitigated based upon the following risk levels. These
risk levels are assessed using the OWASP Risk Rating Methodology.
 High – Any high-risk issue must be fixed immediately, or other mitigation strategies must be
put in place to limit exposure before deployment. Applications with high-risk issues are
subject to being taken off-line or denied release into the production environment.
 Medium – Medium-risk issues should be reviewed to determine what is required to mitigate
and scheduled accordingly. Applications with medium risk issues may be taken off-line or
denied release into the production environment based on the number of issues and if
multiple issues increase the risk to an unacceptable level. Issues should be fixed in routine
patch releases unless other mitigation strategies will limit exposure.
 Low – Issue should be reviewed to determine what is required to correct the issue and
scheduled accordingly.

This document has been provided to our client for use internal to their Page 2 of 5
legal entity and is not to be redistributed. This document may not be
disclosed to third parties without an executed non-disclosure. agreement.
 Form name: Vulnerability and Patch Management Policy Form owner: <President/CIO>
Version: 1.0 Last review and approval date: MM/DD/YYYY

4.5. Vulnerability Mitigation

a) Mitigation is performed by patching systems, removing or disabling vulnerable software, or isolating

systems so that the vulnerability cannot be exploited. When obtaining software and configuration
scripts, verify that they are from a trusted and authenticated source. For example, download
directly from vendor websites or patch repositories and verify the signing certificate is authentic.
Never use patches or remediation scripts that were shared peer-to-peer (such as via web forums).
b) When obtaining software, the technician must always check the media or downloaded files for
malicious code before connecting it to <COMPANY-XYZ> information systems. This is generally
done by running an antivirus scan against removable media or downloading the files on a system
which is protected by antivirus.
c) The <COMPANY-XYZ> IT department will review systems to identify system flaws at least every 30
days. The IT department will internally report system flaws using a service request or change ticket
if the flaw will not automatically resolve itself using system capabilities within 30 days.
d) The <COMPANY-XYZ> IT department will perform vulnerability scanning at least every 90 days.
e) The <COMPANY-XYZ> IT department is responsible for mitigating all high-risk vulnerabilities or
system flaws within 45 days of discovery and medium-risk vulnerabilities or system flaws within 90
days.
f) Systems that cannot be mitigated within this time shall be disconnected from the <COMPANY-XYZ-
INFORMATION-SYSYTEM>. If a deficient system cannot be isolated due to criticality, it shall be
identified and reviewed monthly by the CAB to determine a course of action.

4.6. Systems Maintenance

a) Prior to removing equipment offsite for maintenance, disposal, or repurpose, the <COMPANY-XYZ>
IT department is responsible for sanitizing or destroying all sensitive data on the device. Sanitization
will be performed using methods compliant with DoD 5220.22-M (if no CUI exists on device) or NIST
Special Publication 800-88 (if CUI exists on device).
b) Multi-factor authentication is required to establish non-local maintenance sessions across external
network connections. When maintenance is complete, promptly disconnect the network
connection.
c) <COMPANY-XYZ> information systems maintenance may only be performed by personnel who have
been granted privileged access through the Access Management process. If systems maintenance
must be performed by third parties (who have not been granted access to <COMPANY-XYZ>
Information Systems) they must be supervised by a <COMPANY-XYZ> privileged user. When
possible, the <COMPANY-XYZ> privileged user shall perform the action themselves with guidance
from the third party.
d) Tools used to perform maintenance must be tracked using appropriate configuration, change,
incident, or service request process. Tools for maintenance shall be updated and patched like other
<COMPANY-XYZ> systems and software. Tools and mechanisms provided by third party
maintenance personnel shall be checked for malware and verified to be from a reputable source
prior to use on <COMPANY-XYZ> information systems.

This document has been provided to our client for use internal to their Page 3 of 5
legal entity and is not to be redistributed. This document may not be
disclosed to third parties without an executed non-disclosure. agreement.
 Form name: Vulnerability and Patch Management Policy Form owner: <President/CIO>
Version: 1.0 Last review and approval date: MM/DD/YYYY

e) Security tools such as vulnerability scanners, antivirus programs and internet security agents must
update their threat intelligence databases daily, or each time the device connects to the Internet.
f) The <COMPANY-XYZ> <CISO> is responsible for oversight of maintenance activities to ensure this
policy is followed.

5. Related Documents
 Configuration Management Policy
 Risk Assessment Policy

6. Roles and Responsibilities

Position Responsibility
<CIO> Implement this policy, ensure activities performed as described
<CISO> Review and advise <CIO> regarding cybersecurity concerns.
Oversight of privileged activities.
<IT Department> Implement and maintain systems as described by this policy

7. Regulatory Guidelines
a) All activities described by this policy must be compliant with the Department of Defense’s
Cybersecurity Maturity Model Certification (CMMC).

8. Revision and Review History

Version Reviewed / Date Notes
updated by
1.0 Name Date Initial approved version.

9. Authority
The responsible party for this policy is the <CIO>: Name.

The responsible party has authority to implement and enforce this policy within COMPANY-XYZ to
include disciplinary actions for non-compliant employees and contractors. The responsible party must
review this policy and related procedures, agreements, and forms at least annually.

Exceptions to this policy must be granted in writing by the responsible party and will be tracked in the
“COMPANY-XYZ – Policy Exception Tracking” file.

This document has been provided to our client for use internal to their Page 4 of 5
legal entity and is not to be redistributed. This document may not be
disclosed to third parties without an executed non-disclosure. agreement.
 Form name: Vulnerability and Patch Management Policy Form owner: <President/CIO>
Version: 1.0 Last review and approval date: MM/DD/YYYY

If you would like additional clarification about the information in this document or believe that this
policy is not being adhered to, please report your concerns to the <CIO> (<email@COMPANY-
XYZ.com>).

The signature should be from an executive in the organization, such as the President or CEO, who is
delegating authority to the CIO to perform these tasks.

Signature X

© 2021 Kieri Solutions LLC

This document has been provided to our client for use internal to their Page 5 of 5
legal entity and is not to be redistributed. This document may not be
disclosed to third parties without an executed non-disclosure. agreement.