The organization:
(a) Measures the time between flaw identification and flaw remediation; and
(b) Establishes [Assignment: organization-defined benchmarks] for taking corrective actions.
b. within the period directed by an authorative source (e.g. IAVM, CTOs, DTMs, STIGs)
Source:
DoD RMF TAG
This control enhancement requires organizations to determine the current time it takes on the average to correct information system flaws after such flaws have been identified, and subsequently establish organizational benchmarks (i.e., time frames) for taking corrective actions. Benchmarks can be established by type of flaw and/or severity of the potential vulnerability if the flaw can be exploited.