SAMMY UI is optimized for resolutions with a width 1024px and higher.
CIS Critical Security Controls
Browse CIS Critical...
16,1: Establish and Maintain a Secure Application Development Process
16,2: Establish and Maintain a Process to Accept and Address Software Vulnerabilities
16,3: Perform Root Cause Analysis on Security Vulnerabilities
16,4: Establish and Manage an Inventory of Third-Party Software Components
16,5: Use Up-to-Date and Trusted Third-Party Software Components
16,6: Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities
16,7: Use Standard Hardening Configuration Templates for Application Infrastructure
16,8: Separate Production and Non-Production Systems
16,9: Train Developers in Application Security Concepts and Secure Coding
16,10: Apply Secure Design Principles in Application Architectures
16,11: Leverage Vetted Modules or Services for Application Security Components
16,12: Implement Code-Level Security Checks
16,13: Conduct Application Penetration Testing
16,14: Conduct Threat Modeling
Establish and Maintain a Process to Accept and Address Software Vulnerabilities
16,2: Establish and Maintain a Process to Accept and Address Software Vulnerabilities
Policy defined
Not applicable - Not applicable
None - None
Informal - Informal
Partially written - Partially written
Written - Written
Approved and communicated - Approved and communicated
Control implemented
Not applicable - Not applicable
Not implemented - Not implemented
Parts of policy implemented - Parts of policy implemented
Implemented on some systems - Implemented on some systems
Implemented on most systems - Implemented on most systems
Implemented on all systems - Implemented on all systems
Control automated
Not applicable - Not applicable
Not automated - Not automated
Parts of policy automated - Parts of policy automated
Automated on some systems - Automated on some systems
Automated on most systems - Automated on most systems
Automated on all systems - Automated on all systems
Control reported
Not applicable - Not applicable
Not reported - Not reported
Parts of policy reported - Parts of policy reported
Reported on some systems - Reported on some systems
Reported on most systems - Reported on most systems
Reported on all systems - Reported on all systems
Description

Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

Third-party application developers need to consider this an externally-facing policy that helps to set expectations for outside stakeholders.