Vulnerability Remediation

If a vulnerability scan identifies vulnerabilities in your unit, or you learn of new vulnerabilities, you are expected to remediate them.

Prioritize Based on Severity

Prioritize your remediation efforts based on the severity of the vulnerability and its potential impact on the confidentiality, integrity, or availability of the vulnerable system or data. Vulnerability severity is determined by the rating provided by the National Institute of Standards and Technology (NIST) Common Vulnerability Scoring System (CVSS).

Highest priority should be given to vulnerabilities rated Critical (CVSS 9-10) or High (CVSS 7-8.9).

Meet Remediation Timeframes

After a vulnerability is detected and a fix is available, the timeline for remediation begins.

  • Critical (CVSS 9-10) Vulnerabilities:
    • Create corrective action plan within two weeks.
    • Remediate vulnerability within one month.
  • High (CVSS 7-8.9) Vulnerabilities:
    • Create corrective action plan within one month.
    • Remediate vulnerability within three months.
  • Other Vulnerabilities:
    • Can be resolved based on availability of staff resources.

If IA has issued an alert for a critical vulnerability, requirements specified within the alert supersede those above. Some critical vulnerabilities that pose a significant risk may require expedited timeframes for remediation. The IA alert will state when there is a need for accelerated action.

Laws, regulations, standards, or contractual agreements may also dictate a higher priority and shorter timeline than the CVSS score alone indicates. For example, to comply with the Payment Card Industry Data Security Standard (PCI DSS), any U-M PCI environment with a vulnerability that has a CVSS score of 4 or higher must be remediated within 30 days of notification. Vulnerabilities with scores lower than 4 must be remediated within two to three months.

Corrective Action Planning

Corrective action plans should:

  • Validate that the vulnerability is properly identified and prioritized.
  • Include action-oriented descriptions of the steps that will be taken to mitigate the vulnerability.
  • Ensure that appropriate resources are, or will be, available to remediate the vulnerability.
  • Identify milestones in the remediation process to fully address and resolve the vulnerability;
  • Ensure that the schedule for resolving the vulnerability is achievable and allows for appropriate testing.

Can't meet the expected remediation timeline? Contact IA (through the ITS Service Center) to discuss options and alternatives to ensure a safe IT environment in your unit.