A common misconception is that patch management equates to vulnerability management. At MAD Security, this confusion presents itself during security assessments and remediation efforts with our clients.
Patch management involves discovering and updating software within your Information Technology (IT) infrastructure. This process can include automated and manual procedures for identifying, reporting and applying patches. A similar but different method known as vulnerability management is the process of discovering and remediating vulnerabilities in your IT infrastructure. Like patch management, vulnerability management can use similar manual and automated techniques; however, not all vulnerabilities involve patching a system or application. This is where the confusion lies, potentially creating security and compliance concerns.
It is not uncommon for some to state that they remediate vulnerabilities via their patch management process; this is an incorrect assumption and a terrible security practice. If you rely solely on your patch management process for vulnerabilities, how do you discover and mitigate against zero days or vulnerabilities without patches that may require configuration changes? The simple answer is that you don’t.
In our discussions about the security practices related to patch and vulnerability management within the CMMC framework, we have seen practice SI.L1-3.14.1, “Identify, report, and correct information and information system flaws in a timely manner, ” require planned remediation to implement vulnerability management practices. There are two main issues with this planned remediation.
The first issue is practice SI.L1-3.14.1, designated as a Level 1 practice for CMMC, which only requires patch management practices. Level 1 practices are the essential safeguards that all defense contractors must implement. One of those practices is the ability to identify, report, and correct flaws. Flaws are not inherently vulnerabilities, as they can be functional software bugs that only impact the user experience, not the system’s security. Most vulnerability programs do not discover operational software flaws, which leaves a gap in identifying if vulnerability management was your only answer for flaw remediation.
The second issue arises when we examine CMMC practices RA. L2-3.11.2 and RA. L2-3.11.3, which requires creating a vulnerability management program that scans, reports, and remediates vulnerabilities. These two practices are designated as Level 2 practices for CMMC. Level 2 practices for CMMC are the requirements for defense contractors that will store, process, and transmit CUI (Controlled Unclassified Information) within their IT environment. We must make a distinction here because if not, vulnerability management becomes a Level 1 practice which is different from the intent of Level 1.
- Implement a patch management solution capable of identifying, reporting, and correcting flaws on all applicable systems, which will help satisfy SI.L1-3.14.1 – “Identify, report, and correct information and information system flaws in a timely manner.”
- Implement a vulnerability scanning capability to identify and report risk, which will aid in satisfying RA.L2-3.11.2 “Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.”
- Use a combination of your implemented patch management solution and vulnerability scanning solution to remediate discovered vulnerabilities where applicable, which will aid in satisfying RA.L2-3.11.3. – “Remediate vulnerabilities in accordance with risk assessments.”