History

Priority

Must

Nov 2018

Security vulnerabilities in operating systems and firmware assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users.

Added to address a gap in guidance on operating system and firmware patching.