Reduce Cybersecurity Vulnerabilities

MIL1 requirements
a. Information sources to support cybersecurity vulnerability discovery are identified, at least in an ad hoc manner
b. Cybersecurity vulnerability information is gathered and interpreted for the function, at least in an ad hoc manner
c. Cybersecurity vulnerability assessments are performed, at least in an ad hoc manner
d. Cybersecurity vulnerabilities that are relevant to the delivery of the function are mitigated, at least in an ad hoc manner

MIL2 requirements
e. Cybersecurity vulnerability information sources that collectively address higher priority assets are monitored
f. Cybersecurity vulnerability assessments are performed periodically and according to defined triggers, such as system changes and external events
g. Identified cybersecurity vulnerabilities are analyzed and prioritized, and are addressed accordingly
h. Operational impact to the function is evaluated prior to deploying patches or other mitigations
i. Information on discovered cybersecurity vulnerabilities is shared with organizationdefined stakeholders

MIL3 requirements
j. Cybersecurity vulnerability information sources that collectively address all IT and OT assets within the function are monitored
k. Cybersecurity vulnerability assessments are performed by parties that are independent of the operations of the function
l. Vulnerability monitoring activities include review to confirm that actions taken in response to cybersecurity vulnerabilities were effective m. Mechanisms are established and maintained to receive and respond to reports from the public or external parties of potential vulnerabilities related to the organization’s IT and OT assets, such as public-facing websites or mobile applications