What is your SLA for remediating critical / KEV-listed vulnerabilities on internet-facing systems?
Demonstrate that the organization maintains and consistently meets a documented SLA for remediating critical and KEV-listed vulnerabilities on internet-facing systems within defined timeframes.
Description
What this control does
This control defines and enforces a documented Service Level Agreement (SLA) that specifies maximum timeframes for patching or remediating vulnerabilities classified as critical or listed in CISA's Known Exploited Vulnerabilities (KEV) catalog on systems exposed to the internet. The SLA typically mandates remediation within 24-72 hours for KEV-listed vulnerabilities and 7-15 days for other critical vulnerabilities, reflecting the heightened risk of exploitation on internet-facing assets. Organizations track adherence to these SLAs through vulnerability management platforms and escalation procedures to ensure timely risk reduction.
Control objective
What auditing this proves
Demonstrate that the organization maintains and consistently meets a documented SLA for remediating critical and KEV-listed vulnerabilities on internet-facing systems within defined timeframes.
Associated risks
Risks this control addresses
- Active exploitation of KEV-listed vulnerabilities by threat actors before patches are applied, leading to system compromise
- Prolonged exposure windows for critical vulnerabilities on internet-facing systems allowing automated scanning tools to identify and exploit weaknesses
- Data breach or ransomware deployment through unpatched critical flaws on publicly accessible web servers, VPNs, or remote access portals
- Regulatory non-compliance and potential fines for failure to meet industry-standard vulnerability remediation timeframes
- Reputational damage and customer trust erosion following successful attacks on known, publicly exploited vulnerabilities
- Business disruption caused by emergency patching performed under duress after exploit attempts, rather than controlled remediation
- Lateral movement and internal network compromise after initial foothold gained through internet-facing vulnerable systems
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's documented vulnerability management policy and SLA definitions for critical and KEV-listed vulnerabilities on internet-facing systems.
- Request an inventory of all internet-facing systems and assets, including web servers, VPN gateways, email servers, remote access portals, and external APIs.
- Export vulnerability scan results from the last 90 days covering internet-facing systems, filtering for critical-severity findings and cross-referencing with the current CISA KEV catalog.
- Select a representative sample of 10-15 critical or KEV-listed vulnerabilities discovered on internet-facing systems during the review period.
- For each sampled vulnerability, trace the complete remediation lifecycle from initial detection date through resolution date using ticketing system records, patch logs, and scan validation reports.
- Calculate elapsed time between detection and remediation for each sampled vulnerability and compare against the documented SLA thresholds.
- Interview IT operations and security personnel to understand escalation procedures, resource allocation mechanisms, and exception handling processes when SLA deadlines are at risk.
- Review management dashboards, SLA compliance reports, and executive briefings to verify monitoring and accountability mechanisms for SLA adherence are actively used.