NIST CSF PR.IP-12: Vulnerability Management Plan
A documented vulnerability management plan is foundational to protecting your organization's assets and reducing breach risk. PR.IP-12 requires you to develop, implement, and continuously refine processes for identifying, prioritizing, and remediating vulnerabilities across your IT environment. This control demonstrates to auditors and stakeholders that you take a structured, repeatable approach to vulnerability discovery and remediation.
What this means
PR.IP-12 mandates the creation and deployment of a formal vulnerability management plan that covers the entire lifecycle of vulnerability handling. Your plan must define roles and responsibilities, establish timelines for remediation based on severity, specify scanning frequencies and tools, and document the process for tracking vulnerabilities from discovery through closure. The plan should address both internal and external assets, cover regular scans, coordinate with patch management, and include escalation procedures for critical findings.
How to comply
- 1.Document your vulnerability management plan in writing, including scope (systems, networks, and applications covered) and roles/responsibilities for each phase.
- 2.Define vulnerability severity classifications (critical, high, medium, low) and establish remediation timelines for each—typically 24-48 hours for critical, 7-14 days for high.
- 3.Implement automated vulnerability scanning tools (network, web application, database) and schedule scans at regular intervals (at minimum quarterly, preferably monthly).
- 4.Establish a process to triage and prioritize findings based on asset criticality, exploitability, and business context.
- 5.Create a remediation workflow that assigns owners, tracks progress, and documents evidence of fixes (patches, configuration changes, vendor updates).
- 6.Define criteria for closing vulnerabilities and conduct verification scans to confirm remediation.
- 7.Review and update the plan annually or when significant changes occur (new systems, process changes, lessons learned).
Evidence auditors look for
- A documented vulnerability management policy or procedure document signed by leadership
- Vulnerability scanning reports from automated tools (Nessus, Qualys, OpenVAS) showing regular scan execution
- Vulnerability tracking spreadsheet or ticketing system records with severity ratings, assigned owners, and remediation dates
- Patch management records showing installation and verification of security updates
- Risk assessment or prioritization matrix defining remediation timelines by severity level
- Scan exclusion documentation explaining why certain assets or vulnerabilities are excluded (if applicable)
- Follow-up scans or validation reports confirming successful remediation of previously identified vulnerabilities
- Incident response logs showing how discovered vulnerabilities triggered remediation actions
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically aggregates vulnerability scan data from your existing tools, tracks remediation timelines against your defined SLAs, and generates audit-ready reports showing your plan's execution—eliminating spreadsheet tracking and manual evidence collection.
See how GRCWatch handles this control automatically
Start free trial