RA.L2-3.11.3: Remediate Vulnerabilities in Accordance with Risk Assessments
Vulnerability remediation isn't about fixing everything at once—it's about fixing the right things first. CMMC RA.L2-3.11.3 requires you to prioritize remediation based on risk assessments, ensuring your team focuses effort where threats are highest. This control bridges vulnerability discovery and action, transforming security findings into a defensible remediation strategy.
What this means
This control requires organizations to establish a systematic approach to fixing identified vulnerabilities by using risk assessment data to guide remediation priorities. Rather than treating all vulnerabilities equally, you must evaluate severity, exploitability, asset criticality, and business impact to determine remediation timelines. The goal is ensuring that high-risk vulnerabilities are addressed first, medium-risk vulnerabilities follow a defined timeline, and low-risk issues are managed through appropriate tracking and review processes.
How to comply
- 1.Conduct regular vulnerability scans and assessments across all systems and software
- 2.Document each identified vulnerability with severity rating, affected assets, and exploitability factors
- 3.Map vulnerabilities to your risk assessment framework using CVSS scores or equivalent severity metrics
- 4.Assign remediation priorities based on risk level and business criticality of affected systems
- 5.Establish remediation timelines (e.g., critical: 15 days, high: 30 days, medium: 90 days, low: 180 days)
- 6.Create remediation tickets or tasks with clear ownership and deadline accountability
- 7.Execute remediation activities including patches, configuration changes, or system replacement
- 8.Verify remediation completion through rescanning or validation testing
- 9.Document all remediation activities including what was fixed, when, and by whom
- 10.Review remediation performance quarterly to identify bottlenecks or systemic issues
Evidence auditors look for
- Vulnerability management tool reports showing scan dates, vulnerability identifications, and severity ratings
- Risk assessment matrix mapping vulnerabilities to risk levels and business impact
- Remediation tracking spreadsheet or tickets with priority assignment, due dates, and closure dates
- Patch management logs showing installation dates and affected systems
- Vulnerability rescans demonstrating closure of previously identified issues
- Remediation SLA documentation defining timeline expectations by severity level
- Executive reports showing remediation metrics, mean time to remediation (MTTR), and trends
- Change management records documenting remediation activities and approvals
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates vulnerability prioritization by integrating your scan data with risk assessment scores, auto-generating remediation tickets with CMMC-aligned timelines, and tracking closure evidence—eliminating manual spreadsheet juggling and remediation delays.
See how GRCWatch handles this control automatically
Start free trial