Files
T

1.3 KiB

Standards and References - Vulnerability Aging and SLA Tracking

Industry Standards

  • NIST SP 800-40 Rev 4: Guide to Enterprise Patch Management Planning
  • CIS Controls v8.1 Control 7: Continuous Vulnerability Management
  • PCI DSS v4.0 Req 6.3.3: Security patches installed within one month
  • BOD 22-01: CISA remediation timelines for KEV vulnerabilities
  • ISO 27001:2022 A.8.8: Management of technical vulnerabilities

SLA Benchmark References

Industry SLA Benchmarks

Source Critical High Medium Low
CISA BOD 22-01 2 weeks N/A N/A N/A
PCI DSS 30 days 30 days 90 days 90 days
Industry Average 14 days 30 days 60 days 90 days
Aggressive Target 48 hours 7 days 30 days 60 days

Vulnerability Statistics (2024)

  • Total new CVEs published: 30,000+
  • Year-over-year increase: 17%
  • Average MTTR across industries: ~60 days
  • Top-performing organizations MTTR: < 15 days for critical