CMMC Level 2
Control 3.11.3
Remediate Vulnerabilities in Accordance with Risk Assessments
CMMC-RP Certified Team
24+ Years Experience
CMMC-AB RPO #1449
Official Requirement
Remediate vulnerabilities in accordance with assessments of risk.
What This Means in Plain English
Discovered vulnerabilities must be fixed based on their risk level. Critical vulnerabilities need immediate attention, while lower-risk issues can be scheduled for regular patching cycles. You need a process for prioritizing and tracking remediation.
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- Risk-based vulnerability remediation SLAs: Critical (48 hours), High (7 days), Medium (30 days), Low (90 days)
- Patch management process aligned with vulnerability scan findings
- Microsoft WSUS and Intune deploying patches within SLA timeframes
- Compensating controls documented when immediate remediation is not feasible
- ComplianceArmor tracking vulnerability remediation status against SLA targets
Assessment Guidance
Assessors will review vulnerability remediation timelines against defined SLAs, verify that critical and high vulnerabilities are prioritized, check that compensating controls exist for unpatched vulnerabilities, and confirm that remediation is tracked to closure.
Common Implementation Gaps
- No defined remediation timelines or SLAs
- Critical vulnerabilities left unpatched for months
- No tracking of vulnerability remediation progress
- Patches applied without prioritization based on risk
- No compensating controls for vulnerabilities that cannot be immediately patched
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | RA-5 |
| PCI DSS | Req 6.2 - Protect all system components from known vulnerabilities |
Need Help Implementing 3.11.3?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment Calculate your SPRS score