Skip to main content
← All controls
SI-2 / RA-5 / A.12.6.1 / CIS-7.2 NIST SP 800-53 Rev 5

What is your SLA for remediating critical findings on internal systems?

Demonstrate that the organization maintains a documented, risk-based SLA for remediating critical internal vulnerabilities and consistently meets or documents approved exceptions to that commitment.

Description

What this control does

This control defines and enforces a Service Level Agreement (SLA) specifying the maximum allowable time between discovery of a critical vulnerability or security finding on internal systems and its successful remediation. The SLA typically distinguishes between critical, high, medium, and low severity findings, with critical items often requiring remediation within 24-72 hours. Enforcement mechanisms include automated tracking in vulnerability management platforms, escalation workflows, exception processes for technical constraints, and periodic reporting to executive leadership. This control ensures that severe security exposures do not persist long enough for adversaries to exploit them.

Control objective

What auditing this proves

Demonstrate that the organization maintains a documented, risk-based SLA for remediating critical internal vulnerabilities and consistently meets or documents approved exceptions to that commitment.

Associated risks

Risks this control addresses

  • Adversaries exploit critical vulnerabilities (e.g., privilege escalation, remote code execution) on internal systems before patches are applied
  • Critical findings remain unresolved indefinitely due to lack of accountability or prioritization framework
  • Compliance violations occur when regulatory requirements mandate specific remediation timelines that are not met
  • Lateral movement by attackers is facilitated through unpatched internal systems acting as pivot points
  • Business-critical systems suffer outages when vulnerabilities are exploited due to delayed remediation
  • Audit findings escalate when organizations cannot demonstrate consistent, timely response to critical risks

Testing procedure

How an auditor verifies this control

  1. Obtain the formal vulnerability management policy or procedure document that specifies SLA timeframes for critical, high, medium, and low findings on internal systems
  2. Identify the vulnerability management or ticketing system used to track findings and their remediation lifecycle
  3. Export a report of all critical-severity findings identified on internal systems during the past 12 months, including discovery date, remediation date, and current status
  4. Select a representative sample of at least 15-20 closed critical findings from different months and system types
  5. Calculate elapsed time from discovery to remediation for each sampled finding and compare against the documented SLA
  6. Identify any findings that exceeded the SLA and review documented exception requests, approvals, compensating controls, or risk acceptance records
  7. Interview vulnerability management and IT operations personnel to verify the escalation process when SLAs are at risk of breach
  8. Review executive or steering committee reports to confirm visibility into SLA compliance metrics and recurring breaches
Evidence required Auditor collects the vulnerability management policy document with defined SLAs, exported vulnerability tracking data showing discovery and closure timestamps for sampled critical findings, screenshots or reports from the vulnerability management platform (e.g., Tenable, Qualys, Rapid7) displaying SLA adherence metrics, and any approved exception or risk acceptance documentation. Additional evidence includes meeting minutes or dashboards showing executive oversight of remediation performance.
Pass criteria At least 85% of sampled critical findings are remediated within the documented SLA timeframe, and all exceptions are formally documented with appropriate risk acceptance or compensating control approvals.