Georgetown University has adopted the threat and vulnerability management principles established in NIST SP 800-171 “Risk Assessment” and “Security Assessment” control guidelines as the official policy for this security domain. Each system administrator and system owner must adhere to the guidelines and procedures associated with this policy in order to support and be compliant with the University information security framework.  

Vulnerability scans are performed on a regular, scheduled basis on all University assets; potential vulnerabilities are identified and validated, criticalities are assessed based on a tailored risk rating formula, and remediation actions taken in a timely manner to safeguard the University’s information technology systems and data.  

Server Patch Management Requirements
  1. All servers must maintain applicable and available up-to-date patches for operating systems (OS), applications and middleware.

    • Production servers must have automatic updates enabled for operating system patches. 

    • Applications and middleware must have regular patching enabled for its software based on criticality.

    • Critical server vulnerabilities are addressed in accordance with the Critical Vulnerabilities Implementation Guide

  2. Applicable out-of-band patches must be scheduled for deployment in accordance with the risk-based patch deployment schedule outlined by the University information security office (UISO)

Out of Band Emergency Patching


Patch within 48 hours 

  • Severity Rating of 5, and/or  
  • Remotely exploitable and/or CVSS > 7, and/or 
  • Vendor “Critical” (or equivalent)  


Patch within 7 days 

  • Severity Rating of 4, and/or 
  • CVSS > 7, and/or Vendor “High” (or equivalent) 


Patch within 14 days 

  • Severity Rating of < 4 
  • CVSS > 5, and/or Vendor “Medium” (or equivalent) 
  1. Teams responsible for applying patches are required to compile and maintain reporting metrics that summarize the outcome of each patching cycle.  
  2. Patching activities are recorded in established Change Management Processes. 
  3. Patching reports are up-to-date and available to University stakeholders as requested. 
  4. If for any reason, patches cannot be deployed and installed on University production servers, the responsible system administrator has the responsibility to provide UISO with the patch deferment request immediately upon notification of that patch requirement. 
  5. Any server deemed non-compliant in terms of its patch status will be subject to compensating security controls that may include restricted/limited access or temporary to permanent removal from the University computing environment. 
  6. Only the University Chief Information Officer (CIO) upon advice from the University Information Security Officer (CISO) can evaluate the risks presented by non-compliant computing systems and will determine the actions required to address them.