The information resource owner, or designee, is responsible for ensuring that all requirements of this Control are satisfied.

The university is responsible for:

Identifying, reporting, and correcting information resource security flaws as described in RA-5.

Testing software and firmware updates related to security flaw remediation for effectiveness and potential side effects before installation as described in CM-1.

Installing security-relevant software and firmware updates within timelines as specified in CM-1.

Incorporating security flaw remediation into the unit’s configuration management process (CM-3).