Register
Create one durable record with first-seen time, source, affected asset, business service, owner, exposure, and scan quality. Map duplicates without resetting age.
Exit evidence: stable finding and asset identity.
Remediation governance and verified closure
A vulnerability remediation SLA should define ownership, risk-based clocks, escalation, temporary mitigation, exception expiry, rescanning or retesting, closure evidence, and the conditions that reopen a finding.
A finding should reach “Remediated — Verified” only after the affected condition is corrected and suitable evidence confirms that the asset, scope, authentication, scanner content, attack path, and test method were sufficient. Mitigated, accepted, not affected, false positive, removed, and verified remediated are different outcomes and should remain distinguishable.
Six controlled gates
This page begins after the scan and finding have been validated. The separate scan report validation guide explains how to establish that starting evidence.
Create one durable record with first-seen time, source, affected asset, business service, owner, exposure, and scan quality. Map duplicates without resetting age.
Exit evidence: stable finding and asset identity.
Confirm applicability and classify true positive, false positive, not affected, or inconclusive. Branch to incident response when compromise may have occurred.
Exit evidence: technical disposition and analyst rationale.
Apply the approved tier, external requirement, local risk context, accountable owner, implementation team, and escalation path.
Exit evidence: decision, clock trigger, owner, and deadline.
Patch, configure, upgrade, isolate, remove, mitigate, or formally accept residual risk. Temporary mitigation receives its own test and expiry.
Exit evidence: change, mitigation, or approved exception.
Use an authenticated rescan, targeted retest, configuration evidence, decommission proof, or a combination suited to the original condition.
Exit evidence: successful verification with adequate coverage.
Record the final state, verifier, remaining limitation, retention location, monitoring, recurrence risk, and reopening trigger.
Exit evidence: approved closure record and audit trail.
Use several clocks, not one number
NIST uses organization-defined response periods based on risk; it does not prescribe one universal deadline. External legal, regulatory, contractual, insurer, customer, or directive requirements may impose a faster and controlling deadline.
Measure time from the policy-defined trigger until an accountable owner accepts the record and the implementing team is identified.
Stops when: ownership and escalation route are confirmed.
Measure time to confirm the asset, product, version, feature, detection evidence, and affected condition.
Stops when: a supported technical disposition is recorded.
Measure time to reduce urgent exposure or deploy a tested temporary control when permanent remediation cannot be immediate.
Stops when: the compensating control is operating and evidenced.
Measure time to patch, configure, upgrade, replace, remove, or otherwise eliminate the vulnerable condition.
Stops when: the approved change is deployed—not when the ticket is merely updated.
Measure time from deployment to a suitable rescan, retest, configuration check, or independent verification.
Stops when: coverage and result meet the closure criteria.
Measure the active-risk period, scheduled reviews, renewal count, milestones, and the hard expiry or trigger that requires reapproval.
Stops when: risk is remediated, avoided, or freshly reauthorized.
Do not reset age through reassignment, scanner changes, duplicate tickets, rediscovery, a failed remediation attempt, or an exception renewal. Preserve first seen, validation date, each response date, and the current clock so reports cannot make an old risk look new.
Policy-defined tiers
Use tier names such as Emergency, Accelerated, Standard, and Planned, then approve acknowledgement, mitigation, permanent remediation, verification, and escalation targets for each. Do not label an internal number “NIST-required.”
Immediate incident coordination, exposure reduction, evidence preservation, remediation, and verified recovery as authorized.
Confirmed affected asset with material exposure, KEV or credible exploit activity, privilege, lateral-movement, or critical-service impact.
Owned finding with a supported fix and no condition that requires emergency or accelerated handling.
Validated issue scheduled through a documented maintenance, upgrade, replacement, or root-cause plan with monitoring.
SLA policy worksheet
The example fields remain technology neutral. Each organization should approve its own targets and external overrides.
All policy fields remain available inside this scroll frame. Use the visible right and bottom scrollbars on smaller screens.
| Policy field | Required definition | Evidence to retain | Common failure | Escalation or override |
|---|---|---|---|---|
| Triggering event | First reliable detection, validated finding, vendor fix release, KEV addition, exposure change, or other approved trigger | First seen, validation date, source timestamps, catalog/advisory date | Clock starts only when a team opens a ticket | Use the earliest applicable internal or external trigger |
| Scope and identity | Stable finding, CVE/check, asset, interface, environment, owner, and business service | Inventory, scan source, authentication, package/configuration evidence | DHCP, cloud replacement, or duplicate tickets reset identity | Escalate unresolved ownership and asset-correlation gaps |
| Priority tier | Risk inputs, decision rule, approver, response targets, and rationale | Severity, exploitation, exposure, impact, controls, obligations | CVSS alone becomes the deadline | Binding external requirement or incident evidence overrides slower tier |
| Acknowledgement | Accountable owner and implementing team accept the record | Assignment time, response, escalation, and service ownership | Finding sits unowned while the remediation clock appears healthy | Escalate to service and business leadership |
| Temporary mitigation | Control, deployment target, owner, effectiveness test, monitoring, and removal date | Configuration/change record and functional control test | Mitigation is reported as permanent remediation | Move to exception or escalate when the control fails |
| Permanent remediation | Approved corrective action, dependencies, maintenance window, and target | Patch/build/version, configuration diff, commit, replacement, or removal record | Ticket status substitutes for implementation evidence | Escalate blockers before the deadline |
| Verification | Rescan, retest, configuration proof, decommission proof, verifier, and time limit | Tool/method, scope, credentials, content date, result, limitations | Finding disappears because visibility decreased | Reopen on failed or inconclusive verification |
| Exception | Residual risk, constraint, controls, approvals, milestones, review, and hard expiry | Full exception packet and immutable approval history | Indefinite renewal silently closes the finding | Trigger reapproval on KEV, exploit, exposure, control, or role change |
Time-limited exception governance
A false positive is a validation outcome. An exception is an authorized decision to carry a confirmed, unresolved condition for a defined period under documented controls and oversight.
Rescan, retest, or both
A negative scanner result is not closure when credentials failed, the asset changed identity, the test omitted the vulnerable interface, or the compensating control merely hid the detection.
All verification cases remain available inside this scroll frame. Use the visible right and bottom scrollbars on smaller screens.
| Finding or response | Primary verification | Coverage controls | Closure evidence | Do not accept |
|---|---|---|---|---|
| Patch or standard configuration change | Authenticated rescan plus installed version or configuration evidence | Same asset, interface, credentials, privileges, current content, and reachable scope | Change record, package/build/configuration, scan result, verifier, and timestamp | Uncredentialed “not detected” result when local evidence was required |
| Web authorization or business-logic flaw | Targeted manual retest; application-aware automation may supplement it | Same role, tenant, object, route, method, prerequisites, workflow, and negative case | Sanitized request/response or equivalent proof and specific retest case | Generic infrastructure rescan as proof of application-logic closure |
| WAF, segmentation, or access-control mitigation | Functional retest of the blocked attack path plus relevant scan | Source/destination, identity, protocol, rule order, bypass paths, logging, and failure mode | Configuration, test result, monitoring, owner, expiry, and permanent plan | Policy screenshot without a functional effectiveness test |
| Penetration-test finding or exploit chain | Repeat the original technique or an equivalent authorized attack path | Same preconditions, privileges, chained steps, data/impact boundary, and safe rules of engagement | Retest narrative, evidence, tester, date, result, and remaining limitation | Closing the chain because one scanner plugin disappeared |
| Asset or service decommissioning | Inventory, discovery, DNS/cloud/configuration, and reachability evidence | All addresses, interfaces, replicas, regions, backups, routes, and replacement assets | Removal/change record and independent evidence that the service no longer operates | CMDB status alone while the asset remains reachable |
| Claimed false positive | Authoritative advisory plus authenticated inspection or other independent technical method | Exact asset instance, build/backport, feature, scanner logic, and review trigger | Original result, evidence, analyst, approval, date, and rationale | Deleting or suppressing the result without preserved evidence |
| High-risk external vulnerability | External rescan and targeted validation; independent review when practical | Same public asset, hostname/address, port, service, TLS/application path, and source perspective | Before/after evidence, change, rescan, retest, verifier, and exposure statement | Internal-only verification of an internet-facing condition |
Equivalent or better visibility is the minimum. A verification scan should use current content, successful expected authentication, stable asset identity, complete job status, and the same affected surface. Open newly discovered findings separately; do not let them erase proof that the original condition was fixed.
Closure states that preserve meaning
Clear states help executives and auditors distinguish corrected risk from temporary mitigation, accepted residual risk, invalid detection, service removal, and failed verification.
Audit-ready closure package
Closure evidence should survive scanner changes, ticket migration, staff turnover, audits, and the next recurrence of the same root cause.
Three realistic closure paths
These examples demonstrate governance decisions; they do not impose universal deadlines.
Metrics that expose program health
Aggregate “percent patched” can hide old, exposed, unowned, or unverified risk. Segment metrics by tier, exposure, asset group, owner, root cause, and verification state.
Median and 90th-percentile time from detection to supported disposition.
Separate temporary exposure reduction from permanent correction.
Time from deployment to adequate rescan or retest.
KEVs and credible exploitation by exposure and business criticality.
Active, expired, repeatedly renewed, missing-control, and overdue milestones.
Findings and assets whose verification lacks expected local depth.
Failed fixes, recurring configurations, and unresolved root causes.
Records with required implementation, verification, approval, and monitoring evidence.
Current directive and compliance examples
Policies change. Verify the live authoritative source and the organization’s applicability before copying a public deadline into a private-sector SLA.
Reviewed from security and infrastructure perspectives
Ali Hassani is a CISO and cybersecurity/IT consultant with 25+ years of experience across vulnerability management, network and Microsoft infrastructure, cloud security, compliance auditing, patching, operations, change control, and executive risk decisions. His certifications include CISSP, CCISO, CCNP, CCNA, MCSE, MCSA Security, MCITP, MCP, and MCTS. Review Ali Hassani’s professional background.
Authoritative basis: NIST SP 800-40 Rev. 4 treats remediation as a risk-response lifecycle and supports planned, implemented, verified, and monitored responses. NIST SP 800-53 Rev. 5 uses organization-defined response periods based on risk and calls for remediation, measurement, plans of action, and monitoring.
CISA BOD 26-04 provides the current federal risk-based remediation directive, and its implementation guidance addresses forensic triage and response. It superseded and revoked BOD 22-01 and BOD 19-02 on June 10, 2026.
PCI SSC FAQ 1597 explains current risk-ranking and patch-timing expectations, FAQ 1152 describes the scan-remediate-rescan cycle, and FAQ 1572 explains why a missed periodic activity cannot be retroactively performed.
Guidance limitation: This page provides initial guidance and does not replace a professional cybersecurity audit, vulnerability assessment, penetration test, incident investigation, or legal/compliance review.
Remediation SLA questions
At the event defined in the approved policy, such as first reliable detection, validation, vendor fix release, KEV addition, or exposure change. Preserve first-seen age and never reset it through duplicates, reassignment, scanner changes, or failed fixes.
No. It means authorized residual risk is being carried until a defined expiry or trigger event. The unresolved technical condition should retain monitoring, milestones, controls, review dates, and reapproval requirements.
A reliable authenticated rescan may be sufficient for a conventional patch or configuration finding when it reaches the same asset and interface with current content and successful expected credentials. Business logic, authorization, compensating controls, and exploit chains usually need targeted retesting.
Only if the approved policy and applicable obligation allow it and the control is implemented, tested, monitored, and formally approved. The state should normally be “Mitigated” or “Exception Active,” not “Remediated.”
Finding and asset traceability, risk and deadline, implementation proof, change approval, successful rescan or retest, exception history, verifier approval, remaining limitation, monitoring, and a clear reopen trigger.
No. BOD 26-04 applies to covered Federal Civilian Executive Branch systems, and PCI DSS requirements apply to the relevant payment-card environment and validation scope. Other organizations may adopt aggressive targets, but must identify the actual source and applicability.
OC Security Audit can help validate findings, design risk-based remediation governance, review exceptions, assess rescan and retest evidence, and determine whether a closure record supports the claimed reduction in risk.