Skip to content

RA.L2-3.11.3 Vulnerability Remediation

Risk Assessment 3 of 3 in family

Fix What You Find.

Remediate vulnerabilities prioritized by risk — critical first, tracked to closure.

The one-liner

Scanning without fixing is documenting problems without solving them.

Practice names: DoD CIO CMMC Model Overview v2.0 (CC BY 4.0).

3.11.3 — Fix What You Find

Remediate vulnerabilities in accordance with risk assessments.

Scan results without remediation are useless. Two things: vulnerabilities are identified (from scans, assessments, advisories) and they’re remediated in accordance with risk — highest risk first. Define remediation SLAs by severity: critical within 48-72 hours, high within 14-30 days, medium within 90 days, low in the next maintenance window. Remediation isn’t the only valid response, though. For any given vulnerability you have four choices, drawn from NIST SP 800-40r4: remediate or mitigate it, accept the risk, avoid it (retire or reconfigure the exposed asset), or transfer it — for example, shifting patching duty to a SaaS provider who owns the underlying platform. Risk acceptance is a legitimate outcome, but only as a deliberate, documented one: record the vulnerabilities you choose not to fix, the reasoning behind the decision, and the continued monitoring you’ll keep on them. An undocumented decision not to remediate reads as an oversight — and that’s a finding. Track every vulnerability from identification through closure. The assessor will compare sequential scan results — if the same critical vulnerability appears in consecutive scans, that’s a finding.


Your assessor needs a “yes” to every row:

#QuestionWhat “yes” looks like
1Are vulnerabilities identified?Vulnerability scan results triaged and documented
2Are vulnerabilities remediated by risk priority?Remediation records showing SLA adherence; sequential scans showing closure

Documents they’ll review: Risk assessment policy; vulnerability scan results (sequential); remediation records and SLA tracking; POA&M; patch management records; system security plan

People they’ll talk to: Personnel with risk assessment and vulnerability management responsibilities; information security personnel

Live demos they’ll ask for: “Show me your remediation SLAs by severity.” “Pick a critical finding — when found vs. when fixed.” “Show me sequential scans proving closure.” “How do you track remediation?”


These are the actual questions. Have answers ready.

  • “Show me how you prioritize vulnerability remediation.”
  • “What are your remediation SLAs by severity?”
  • “Show me a critical finding — when was it found and when was it fixed?”
  • “Are risk assessment results used to prioritize?”
  • “Show me sequential scan results — are findings being closed?”

Scans without remediation. Reports pile up, nothing gets patched. Assign every finding a ticket with an owner and deadline.

No prioritization. Everything treated equally. Critical vulnerabilities sit alongside cosmetic findings. Use risk-based SLAs.

No tracking. Vulnerabilities fixed but not tracked to closure. Sequential scans should show decreasing vulnerability counts.



RequirementWhy it matters here
3.11.2 — Scan for VulnerabilitiesScanning identifies the vulnerabilities this requirement remediates
3.14.1 — Patch Your SystemsPatching is the primary remediation method
3.12.2 — Track Every GapPOA&M tracks items needing extended remediation