Critical Control 4: Continuous Vulnerability Assessment and Remediation lists as a “quick win” Any vulnerability identified should be remediated in a timely manner, with critical vulnerabilities fixed within 48 hours.
Unless you’re paired up with Nick Nolte, 48 hours isn’t a very long time. It seems to conflict a with later requirement: Critical patches must be evaluated in a test environment before being pushed into production on enterprise systems. That is one quick eval cycle.
So what is critical?
In my vulnerability scan report vulnerabilities are listed 1 through 5. Every month there are new level 5 vulnerabilities.
PCI says that things with a CVSS score greater than 7.2 (if I remember correctly) need to be patched. Is that what critical is?
Does critical mean “was mentioned on the evening news”?
FISMA 800-53 rev 3 RA-5 leaves it up to the organization to define.
I think I should just update my vulnerability management doc to say that critical updates are defined as those accompanied by four horsemen. Those must be patched within 48 hours. If the server can be found in the smoking crater. All other patches shall be deployed within 30 days unless otherwise instructed.