UIS.204.2 Vulnerability Remediation Deferral Guidelines

In support of UIS.204 Vulnerability Management Policy

Georgetown University has adopted the threat and vulnerability management principles established in NIST SP 800-171 “Risk Assessment” and “Security Assessment” control guidelines as the official policy for this security domain. Each system administrator and system owner must adhere to the guidelines and procedures associated with this policy in order to support and be compliant with the University information security framework.  

In accordance with the Vulnerability Management Policy, applicable and required patches and updates are deployed on a regular schedule or whenever emergency vulnerability remediation is required. Occasionally, remediation activities – including patch installation, system rebooting, or application removal – may lead to disruption of services or significant interference with the University operations. Deferrals – or delayed deployment – of vulnerability remediation can be requested for demonstrated cases of interruption.  

Vulnerability Remediation Deferral Requirements

Arrangements may be requested to remediate vulnerabilities outside of the scheduled window.  Unpatched systems represent a threat to themselves and to the University, and may be removed from network access if left unpatched for a period that significantly raises the risk to the University if the system remains vulnerable.

Remediation deferrals are accepted, reviewed, and evaluated by the Chief Information Security Officer (CISO) when requested with a validated business cases, clearly outlining why the existing vulnerability remediation schedule or activity will present significant interruption or interference with University operations.

Remediation Deferral Process:
  1. Requester provides documentation justifying the reason the remediation action cannot be taken.
  2. The UIS Vulnerability Response Group (UIS VRG) evaluates each request and submits requests to the Chief Information Security Officer (CISO) with recommendations.
  3. The CISO may either approve, deny, or escalate the request depending on its merits. That decision will be relayed to the appropriate parties (including the requester) for next action(s).
  4. In the event the deferral is not approved, the system administrator is responsible for executing the remediation activity as directed by the UIS VRG.​

The requester must submit the deferral request within the remediation window established by the risk rating/criticality score of the vulnerability. The UIS VRG is the team responsible for determining the criticality score and the actions that are required to address the vulnerability. 

In order to be fully reviewed, the deferral request must include:

  • Individual identifier for the asset
  • Asset owner and responsible party (dean/director/chair, requester, etc.)
  • How the device is currently being used
  • The reason(s) remediation activity cannot be executed on schedule (interruption or degradation in service or departmental operations, application incompatibility, etc)
  • The mitigating controls that will be enabled in lieu of remediation
  • The time frame for full vulnerability remediation