NIST Cybersecurity Framework RS.MI-3: New Vulnerability Mitigation
RS.MI-3 requires organizations to identify newly discovered vulnerabilities and either mitigate them promptly or formally accept them as documented risks. For SMBs managing limited security resources, this control ensures vulnerabilities don't slip through the cracks while balancing remediation timelines with business operations.
What this means
When your organization identifies a new vulnerability—whether through scanning, disclosure, or threat intelligence—you must take one of two paths: actively mitigate the risk through patching, configuration changes, or workarounds, or formally document and approve it as an accepted business risk. This prevents the common scenario where vulnerabilities are discovered but never resolved or tracked, leaving security gaps that attackers can exploit.
How to comply
- 1.Establish a vulnerability discovery and intake process that captures newly identified vulnerabilities from all sources (scanners, vendors, internal assessments, threat feeds)
- 2.Define clear timelines for vulnerability assessment and prioritization based on severity, exploitability, and asset criticality
- 3.For each vulnerability, determine whether to mitigate (remediate) or accept the risk through documented decision authority
- 4.If mitigating: implement fixes, patches, or compensating controls within your defined SLA
- 5.If accepting: document the business justification, residual risk, and re-evaluation timeline in a formal risk acceptance record
- 6.Track all vulnerabilities and their status (open, mitigated, accepted) in a centralized inventory or log
- 7.Conduct periodic reviews to ensure accepted risks remain aligned with your risk tolerance and business context
Evidence auditors look for
- Vulnerability scanning reports with identified CVEs and dates of discovery
- Patch management records showing applied updates and remediation dates
- Risk acceptance documentation signed by appropriate business or security leadership
- Vulnerability management policy defining assessment SLAs and escalation procedures
- Monthly vulnerability status reports showing open, mitigated, and accepted items
- Change control records documenting compensating controls deployed for unpatched vulnerabilities
- Audit logs from vulnerability tracking tools (Tenable, Qualys, Rapid7, etc.)
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch centralizes vulnerability tracking and automates risk acceptance workflows, so you can log a new CVE, assign it for remediation or approval, track SLA compliance, and generate audit-ready reports—all without spreadsheets or manual status chasing.
See how GRCWatch handles this control automatically
Start free trial