NIST defines patch management as the systematic notification, identification, deployment, installation, and verification of operating system and application software code revisions. These revisions are known as patches, hot fixes, and service packs. (Source)
Organizations should identify systems that are affected by announced software and firmware flaws including potential vulnerabilities resulting from those flaws. Security-relevant updates include, for example, patches, service packs, hot fixes, and anti-virus signatures. Organizations should also address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations can take advantage of available resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational systems. (Source)
This NIST Special Publication is designed to provide guidelines for BIOS protections in server-class systems. This NIST Special Publication is designed to provide a comprehensive set of security recommendations for the current landscape of the storage infrastructure. This NIST Special Publication is designed to assist organizations in understanding the basics of enterprise patch management technologies. NIST resources that defines requirement for system maintenance activities. NIST resources that defines requirements for review, assessment, and approval of system maintenance tools NIST resources that define requirements for nonlocal system maintenance activities The link below is an example from North Carolina State University of a Security Patching Standard. This SANS whitepaper examines the role of project management in building a successful vulnerability management program. This SANS whitepaper looks at how a vulnerability management process could be designed and implemented within an organization. This SANS whitepaper presents one methodology for identifying, evaluating and applying security patches. The primary focus of this slideshow is to educate administrators on the benefits of security patching, where to find information about patches, and how to deploy patches as they are needed.
ACAS consists of a suite of products to include the Security Center, Nessus Scanner and the Nessus Network Monitor which is provided by DISA to DoD Customers at no cost. In this video a security engineer introduces the viewer to NIST SP 800-171 Control 3.11.2 and vulnerability scanning. Open Web Application Security Project (OWASP) provides a list of commercial and free vulnerability scanning tools for various platforms. This SANS whitepaper looks at how a vulnerability management process could be designed and implemented within an organization. This SANS whitepaper discusses the benefits and pitfalls of Vulnerability Scanning suggests an approach suitable for small and medium-sized businesses. The policy below is an example from the state of Alabama of a vulnerability scanning policy.
This link provides information about CIS RAM, an information security risk assessment method. This document provides assessment guidance for Level 1 of the Cybersecurity Maturity Model Certification (CMMC). This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 3 and Level 2. This Handbook provides a step-by-step guide to assessing a small manufacturer’s information systems against the security requirements in NIST SP 800-171 rev 1. The purpose of this publication is to provide procedures for assessing the CUI requirements in NIST Special Publication 800-171.
In this two part webinar from BrightTALK discusses key challenges and pitfalls most vulnerability management programs face. This document provides assessment guidance for Level 1 of the Cybersecurity Maturity Model Certification (CMMC). This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 3 and Level 2. NCATS is a service from the DHS that performs regular network and vulnerability scans and delivers a weekly report for your action. This Handbook provides a step-by-step guide to assessing a small manufacturer’s information systems against the security requirements in NIST SP 800-171 rev 1. This NIST Special Publication is a guide to the basic technical aspects of conducting information security assessments. The purpose of this publication is to provide procedures for assessing the CUI requirements in NIST Special Publication 800-171.