Operational bug controls

old.reddit.com / @/u/bberce, https://old.reddit.com/user/bberce

Hello r/NISTControls!
Our organization recently suffered a massive outage due to an IT vendor's operational bug. This was *not* a CVE. I'm fairly familiar with all of the cybersecurity controls surrounding CVEs or security vulnerabilities. Can someone point me to controls that would mitigate against a bug like this for example:
https://bst.cisco.com/quickview/bug/CSCwf08698

You'll see that this is not a CVE and none of the security vulnerability solutions would address it. Here are the controls I found, but my concerns that they won't address the risk:

  1. SI-2 has the word 'vulnerability' in it and that's usually associated with CVEs (same rationale for SI-2(2) and SI-2(3))
  2. SI-7 doesn't seem to fit because it wasn't an unauthorized change
  3. CM-2 doesn't apply because this bug was not announced from the vendor prior to when the asset was placed into service.

Traditionally patch management solutions address operating system bugs/flaws/patches so references to patch management doesn't seem right.

Follow up question - how are your organizations tracking bugs if your CVE solutions aren't addressing them? Ideally in an automated fashion. And I'm not talking about the operating system (server/desktop) level.

Thank you in advance!

submitted by /u/bberce
[link] [comments]

published 9 months ago


Previous

NIST 800-171r2 3.4.1
published 9 months ago

Next

Looking for Nist 800-53rev4
published 9 months ago
See all items from the same source