Report on the the average time elapsed between vulnerability or weakness discovery and implementation of corrective action

Status: Live

The organization will report on the the average time elapsed between vulnerability or weakness discovery and implementation of corrective action. [UCF ID 02140]

Metric guidance

Calculation: The calculation for this metric is The date of vulnerability or weakness discovery + the date the vulnerability or weaknesses was corrected.

Calculation source: The authority document source of information is NIST 800-55, Critical Element 2.2. The following formula was used: the sum of the number of weaknesses closed in 30 days, 60 days, 90 days, 180 days, and 1 year divided by the total number of weaknesses closed in the last year for each business unit (or the organization as a whole) .

The Common Control IDs associated with this metric are as follows:

Safeguard selection and prioritization in light of risk assessment findings [UCF Control ID 00707]

Risk action plan in light of risk assessment findings [UCF Control ID 00705]

Supporting and supported controls

This control directly supports:

Establish and maintain an incident management and vulnerability detection and response metrics management program [UCF Control ID 02085]

There are no supporting controls.

Authority documents complied with:

Security Metrics Guide for Information Technology Systems, NIST SP 800-55, July 2003, § A.2.2.1; Performance Measurement Guide for Information Security, NIST 800-55 Rev. 1, Revision 1, App A Measure 16

NIST Guidance

This metric must be calculated using (# of weaknesses x 30 + # of weaknesses x 60 + # of weaknesses x 90 + # of weaknesses x 180 + # of weaknesses x 365) / # of total weaknesses closed.
Information Source: Use the total number of weaknesses closed in the last year for each business unit (or the organization as a whole) as the base number divided by the sum of the number of weaknesses closed in 30 days, 60 days, 90 days, 180 days, and 1 year. [§ A.2.2.1, Security Metrics Guide for Information Technology Systems, NIST SP 800-55, July 2003]

The calculation for this metric should be stated as the # of vulnerabilities corrected / # of vulnerabilities identified during vulnerability scans. Use the total number of vulnerabilities discovered during the vulnerability scans for each business unit (or the organization as a whole) as the base number divided by the number of vulnerabilities that were corrected within the specified time period. [App A Measure 16, Performance Measurement Guide for Information Security, NIST 800-55 Rev. 1, Revision 1]