Patching

NIST defines patch management as the systematic notification, identification, deployment, installation, and verification of operating system and application software code revisions. These revisions are known as patches, hot fixes, and service packs. (Source)

The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified. (Source)

NIST SP 800-115: Technical Guide to Information Security Testing and Assessment
This NIST Special Publication is a guide to the basic technical aspects of conducting information security assessments.
NIST SP 800-40 Rev 4: Guide to Enterprise Patch Management Technologies
This NIST Special Publication is designed to assist organizations in understanding the basics of enterprise patch management technologies.
NIST SP 800-53 Rev 5: MA–2 Controlled Maintenance
NIST resources that defines requirement for controlled maintenance.
NIST SP 800-53 Rev 5: MA–3 Maintenance Tools
NIST resources that defines requirements for review, assessment, and approval of system maintenance tools
NIST SP 800-53 Rev 5: MA–4 Nonlocal Maintenance
NIST resources that define requirements for nonlocal system maintenance activities

Center for Internet Security – Risk Assessment Method
This link provides information about CIS RAM, an information security risk assessment method.
Connect Secure – Best Practices for Vulnerability Management Implementation
This article speaks to key components of a vulnerability management program for MSP's.
PurpleSec – How To Prioritize Vulnerabilities For Remediation
This article from PurpleSec identifies the importance of prioritizing vulnerabilities.
Sprocket Security – 10 Best Practices for Vulnerability Management
This article from Sprocket Security highlights the challenges of vulnerability management and how to establish an effective vulnerability management program.

Kaseya – Patch Management Policy
In this blog, Kaseya will discuss patch management policy best practices and explain how they contribute to a better patching environment for large and small organizations alike.
SANS Whitepaper – Vulnerabilities & Vulnerability Scanning
This SANS whitepaper discusses the benefits and pitfalls of Vulnerability Scanning suggests an approach suitable for small and medium-sized businesses.
Tripwire – Vulnerability Management Program Best Practices
In this article from Tripwire, they discuss the four stages of a vulnerability management program
Wiz.io – 11 Vulnerability Management Best Practices
In this article from Wiz, they discuss the 11 essential vulnerability management best practices organizations should start with.

Assured Compliance Assessment Solution (ACAS)
ACAS consists of a suite of products to include the Security Center, Nessus Scanner and the Nessus Network Monitor which is provided by DISA to DoD Customers at no cost.
Cybersecurity and Infrastructure Security Agency – Cyber Hygiene Services
Cyber Hygiene services are provided by CISA’s trained information security experts equipped with the latest tools. Because the services look for assets exposed to the internet, they identify vulnerabilities that could otherwise go unmanaged.
Cybersecurity and Infrastructure Security Agency – Free Cybersecurity Services and Tools
CISA has curated a database of free cybersecurity services and tools as part of our continuing mission to reduce cybersecurity risk across U.S. critical infrastructure partners and state, local, tribal, and territorial governments.
ninjaOne – Vulnerability Remediation Timelines: 7 Best Practices
This article explains the best ways to remediate vulnerabilities in a timely and prompt manner.
Open Web Application Security Project (OWASP) – Vulnerability Scanning Tools
Open Web Application Security Project (OWASP) provides a list of commercial and free vulnerability scanning tools for various platforms.
State of Alabama – Vulnerability Scanning Policy
The following is an example from the state of Alabama of a vulnerability scanning policy.
Wiz.io Top OSS vulnerability management tools
8 open-source vulnerability management tools and their features, categorized by use case.

CMMC Related Controls

Level 2 | MA.L2-3.7.1 – Perform Maintenance: Perform maintenance on organizational systems.

CMMC Assessment Guides

CMMC Level 1 Self-Assessment Guide
This document provides self-assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 1.
CMMC Level 2 Assessment Guide
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2.
CMMC Level 3 Assessment Guide
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 3.

Resources

Legal