3.11.3 has a weight of -1 points

System Security Plan (SSP) for Control 3.11.3

Title: Remediation of Vulnerabilities in Accordance with Risk Assessments

1. Purpose:

   • This SSP ensures that we appropriately address vulnerabilities identified within the organization based on their assessed risk. By following this plan, we ensure the security of our digital assets, maintain the confidentiality of our customer data, and protect our brand reputation.

2. Scope:

   • The plan encompasses all organizational systems, applications, databases, network devices, and related infrastructures susceptible to vulnerabilities.

3. Responsibilities:

   • IT Department: We execute regular vulnerability scans and work closely with the security team during incident responses.
   • Internal Risk Management Team: We conduct risk assessments quarterly, provide risk scoring for identified vulnerabilities, and suggest remediation prioritization.
   • Security Team: We activate the incident response plan when vulnerabilities are detected, oversee remediation efforts, and ensure policy adherence.
   • Department Heads: We ensure compliance with remediation directives and that department-specific applications or systems are available for scanning.

4. Vulnerability Management Procedures:

   • Periodic Scanning: We utilize vulnerability scanning tools to detect potential security weaknesses in organizational assets.
   • Incident Response: When we detect a vulnerability, we invoke the Incident Response Plan to address the issue swiftly and effectively.
   • Risk Assessments: We conduct risk assessments quarterly, considering factors like potential business impact, likelihood of exploitation, and data sensitivity.

5. Plan of Action (PoA):

   • When identifying vulnerabilities, we formulate a PoA that outlines the remediation steps, required resources, and targeted completion dates.
   • Milestones: We define milestones within the PoA to ensure trackable remediation activities and accomplish them within stipulated time frames.

6. Remediation:

   • We prioritize remediation efforts based on risk scores derived from assessments.
   • While we aim to remediate all vulnerabilities, we focus on those posing the highest risk to the organization.

7. Review and Update:

   • We review this SSP annually or after any significant infrastructural or procedural changes to ensure its continued relevance and effectiveness.

8. Documentation:

   • We document all risk assessment findings, remediation activities, and PoA milestones for transparency and future reference.

9. Continuous Improvement:

   • We encourage feedback from all departments and regularly update the SSP to align with the evolving threat landscape and business requirements.

10. Training:

• We ensure that all staff, especially those in IT and Security, undergo regular training on vulnerability management and remediation processes.

Plan of Action and Milestones (POA&M) for Control 3.11.3

1. Milestone: Establish Regular Vulnerability Scanning

• Objective: Ensure all organizational assets are scanned for vulnerabilities.
• Responsibility: IT Department.
• Resources: Vulnerability scanning tools, dedicated IT personnel.
• Targeted Completion Date: [Date].

2. Milestone: Finalize and Review the Incident Response Plan

• Objective: Update and refine the Incident Response Plan to ensure rapid and effective responses to detected vulnerabilities.
• Responsibility: Security Team.
• Resources: Previous incident reports, external consultancy (if required).
• Targeted Completion Date: [Date].

3. Milestone: Quarterly Risk Assessments

• Objective: Conduct the first of the regular quarterly risk assessments.
• Responsibility: Internal Risk Management Team.
• Resources: Risk assessment tools, access to system logs and network data.
• Targeted Completion Date: [Date].

4. Milestone: Develop a Standardized Plan of Action Template

• Objective: Create a template to streamline the creation of PoA whenever vulnerabilities are identified.
• Responsibility: Security Team, with input from IT and Risk Management.
• Resources: Previous PoA examples, industry best practices.
• Targeted Completion Date: [Date].

5. Milestone: Prioritization Framework Establishment

• Objective: Develop a framework to prioritize remediation efforts based on the risk score.
• Responsibility: Internal Risk Management Team.
• Resources: Risk assessment tools, historical vulnerability data.
• Targeted Completion Date: [Date].

6. Milestone: Documentation Process Implementation

• Objective: Ensure thorough and standardized documentation of all vulnerability management activities.
• Responsibility: Security Team.
• Resources: Documentation tools/platforms, staff training.
• Targeted Completion Date: [Date].

7. Milestone: Staff Training Initiation

• Objective: Begin the training program on vulnerability management and remediation.
• Responsibility: Department Heads.
• Resources: External trainers or e-learning platforms, internal guidelines.
• Targeted Completion Date: [Date].

Incident Response Procedures Plan

I. Purpose: The purpose of these procedures is to define the company’s approach to managing and responding to security incidents involving unauthorized acquisition, dissemination, use, or loss of nonpublic information.

II. Scope: These procedures apply to all employees, contractors, and third-party agents who have access to company-controlled information.

III. Definitions: Incident/Security Breach: An unauthorized acquisition, dissemination, use, or loss of nonpublic information.

IV. Incident Reporting:

• Every employee is obligated to notify the Facility Security Officer (FSO) immediately upon becoming aware of a potential security breach that may compromise nonpublic information.
• All potential security breaches, whether suspected or confirmed, must be reported.

V. Incident Response Procedures:

1. Initial Assessment:
   • Managers shall conduct a thorough assessment of the reported security breach to determine its scope, impact, and potential damage.
   • Determine the type, nature, and amount of data involved.
2. Containment:
   • Initiate immediate containment measures to prevent further unauthorized access, dissemination, or loss.
   • Isolate affected systems or processes to minimize the spread of damage.
3. Legal Consultation:
   • Consult with legal counsel to ensure that the company’s response is compliant with all applicable laws and regulations.
4. Regulatory Compliance:
   • Review and understand requirements under applicable state laws and regulations related to the breach.
   • Determine notification and reporting obligations.
5. DIBNet Notification:
   • Contact DIBNet (Defense Industrial Base Network) under the following circumstances:
     • Compromise of Covered Defense Information (CDI).
     • Impact on the ability to provide operationally critical support.
     • Discovery of malicious software.
     • Unauthorized external access to systems.
     • Compromise of cyber-related tools or software.
     • Any other criteria stipulated under DFARS.
   • Ensure the timely reporting of incidents to DIBNet, typically within 72 hours of discovering the incident, in alignment with DFARS regulations.
   • Cooperate with the Department of Defense, providing further details upon request and assisting in any joint investigations if needed.
6. Carrier Notification:
   • Notify the carriers whose policyholders may have been affected.
   • Inform the company’s cybersecurity coverage carrier about the incident.
7. Notification of Affected Parties:
   • Notify affected individuals about the breach, detailing potential risks and protective actions they can take.
   • Notify appropriate regulatory and law enforcement authorities, if required or deemed appropriate.
   • Draft clear, concise, and accurate communications about the incident for affected individuals and, if appropriate, company customers.
8. Corrective Actions:
   • Document and implement corrective actions to contain, control, and remedy the security breach.
   • Evaluate the effectiveness of the containment measures and modify as necessary.
9. Investigation:
   • All security breaches will be fully investigated by the designated personnel, including managers, the FSO, and Managed Service Providers (MSP).
   • Ensure comprehensive documentation of the investigative process, findings, and decisions made.
10. Briefing:

• Maintain transparency by briefing all affected parties, such as the prime contractor, subcontractor, and government organization, about the incident and the company’s response actions.

VI. Post-Incident Activities:

• Conduct a post-incident review to identify lessons learned.
• Make necessary updates to policies, procedures, and controls to prevent recurrence.
• Provide necessary training and awareness sessions for employees.

VII. Revision and Review:

• This procedure will be reviewed annually and updated as needed to reflect changes in regulatory requirements and the company’s operational environment.

Approval: [Signature] [Title] [Date]