STIGViewer Trial workspace — loading your subscription…

NIST 800-53 Rev 5

424 controls available

SI-2lowmoderatehigh

Flaw Remediation

System and Information Integrity

Control Statement

Identify, report, and correct system flaws; Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; Install security-relevant software and firmware updates within {{ insert: param, si-02_odp }} of the release of the updates; and Incorporate flaw remediation into the organizational configuration management process.

Discussion

The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system, the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw), the organizational risk tolerance, the mission supported by the system, or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, such as when implementing simple malicious code signature updates. In testing decisions, organizations consider whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures.

Framework
NIST SP 800-53 Rev 5
Family
System and Information Integrity
Baselines
low, moderate, high

Related Frameworks

87 paths across 2 frameworks
NIST 800-1713 mappings
3.14.1
1.00
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.14.2
1.00
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.14.3
1.00
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI36 mappings
CCI-001225
1.00
  • DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-001226
1.00
  • DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-001227
1.00
  • DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-001228
1.00
  • DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-001229
1.00
  • DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-001230
1.00
  • DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-001240
1.00
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-001241
1.00
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-001242
1.00
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-001243
1.00
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-001244
1.00
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-001245
1.00
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-001285
1.00
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-001286
1.00
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-001287
1.00
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-001288
1.00
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-001289
1.00
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-002602
1.00
  • DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-002603
1.00
  • DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-002604
1.00
  • DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-002605
1.00
  • DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-002606
1.00
  • DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-002607
1.00
  • DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-002619
1.00
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-002620
1.00
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-002621
1.00
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-002622
1.00
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-002623
1.00
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-002624
1.00
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-002692
1.00
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-002693
1.00
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-002694
1.00
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-004963
1.00
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-004964
1.00
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-004965
1.00
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-004966
1.00
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • DISA · 2025-01-23 · disa_cci_list · equivalent

Related STIGs

98 STIGs reach this control through 36 CCIs. Expand a row to see the responsible NICE and O*NET roles.

Operating System — Desktop

2 STIGs

Operating System — Server

20 STIGs
Oracle Linux 9 Security Technical Implementation Guide
V1R52026-02-172 of 448 findings match
Anduril NixOS Security Technical Implementation Guide
V1R22025-08-191 of 103 findings match
Show 12 more STIGs in this category →
IBM AIX 7.x Security Technical Implementation Guide
V3R22026-02-061 of 283 findings match
Oracle Linux 8 Security Technical Implementation Guide
V2R82026-02-131 of 375 findings match

Operating System — Mainframe

6 STIGs
Mainframe Product Security Requirements Guide
V3R42025-09-102 of 194 findings match
CA IDMS Security Technical Implementation Guide
V2R12024-09-131 of 74 findings match
IBM z/OS ACF2 Security Technical Implementation Guide
V9R82026-03-091 of 225 findings match
IBM z/OS RACF Security Technical Implementation Guide
V9R82026-03-091 of 222 findings match
IBM z/OS TSS Security Technical Implementation Guide
V9R82026-03-091 of 230 findings match

Network Device

12 STIGs

Database

14 STIGs
Database Security Requirements Guide
V4R52026-02-262 of 142 findings match
Show 6 more STIGs in this category →

Web / Application Server

15 STIGs
Application Server Security Requirements Guide
V4R42025-09-102 of 137 findings match
Show 7 more STIGs in this category →
Web Server Security Requirements Guide
V4R42025-09-101 of 126 findings match

Virtualization / Container

11 STIGs

Endpoint Security Management

11 STIGs
Central Log Server Security Requirements Guide
V3R42026-02-121 of 127 findings match
HYCU Protege Security Technical Implementation Guide
V1R22026-03-041 of 55 findings match
ISEC7 Sphere Security Technical Implementation Guide
V3R12024-08-201 of 34 findings match
Show 3 more STIGs in this category →
Tanium 7.x Security Technical Implementation Guide
V2R32025-05-141 of 98 findings match

Productivity Application

6 STIGs

Uncategorized

1 STIG