You fix the vulnerabilities you find, prioritized by risk.
What it actually means
Finding vulnerabilities (3.11.2) only matters if you fix them. Remediate based on risk — highest-risk first — and track to closure. It connects scanning, risk, and patching into one loop.
Pass or fail — an assessor needs a "yes" to each
- Vulnerabilities are remediated, prioritized by risk.
- Remediation is tracked to closure.
- Timelines align with risk.
What to have ready
- Remediation tracking (tickets/POA&M)
- Before/after scan results
- Prioritization tied to risk
Where teams trip up
- Findings logged but never closed
- No prioritization — everything or nothing
- No tracking of remediation
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →