Establishes requirements for identifying, reporting, and correcting system flaws, providing protection from malicious code, and monitoring system security alerts — covering 7 controls per NIST SP 800-171 Rev 2.
OCSI shall identify, report, and correct information and system flaws in a timely manner. The organization shall provide protection from malicious code at appropriate locations within organizational systems and monitor system security alerts and advisories.
| Control | Requirement | Implementation | Status |
|---|---|---|---|
| 3.14.1 | Identify, report, and correct information and information system flaws in a timely manner | PARTIAL. Flaw identification currently relies on manual review only. No automated vulnerability scanning. No external MSSP assessments conducted. Risk-based SLA defined (Critical: 24hr, High: 72hr, Medium: 30 days, Low: 90 days) but not tested. Remediation tracked via POA&M. | Partial |
| 3.14.2 | Provide protection from malicious code at appropriate locations within organizational systems | CSP prevents code injection by restricting script sources to 'self'. No user-supplied input rendered as HTML (all input sanitized). No eval(), innerHTML with unsanitized data, or dynamic script loading. Static HTML architecture minimizes injection vectors. | Implemented |
| 3.14.3 | Monitor system security alerts, advisories, and directives and take appropriate actions in response | NOT IMPLEMENTED. No external MSSP provides monitoring. No formal process for monitoring NIST NVD, CISA alerts, or GoDaddy advisories. No designated person or process for security alert triage. | Not Implemented |
| 3.14.4 | Update malicious code protection mechanisms when new releases are available | PARTIAL. CSP provides baseline protection. CDN dependencies are not reviewed on any schedule. No external MSSP recommends updates. Browser-based protections update automatically via browser vendors (not OCSI-controlled). | Partial |
| 3.14.5 | Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed | NOT IMPLEMENTED. No vulnerability scanning tools are in use. No external MSSP performs scans. Security headers are set but not verified on any recurring schedule. No SRI hashes on CDN resources. Deployment files are not scanned. | Not Implemented |
| 3.14.6 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks | PARTIAL. Audit logging captures authentication events and data modifications (client-side only). Failed login lockout exists. CSP violation reports configured. However: no SIEM, no server-side monitoring, no network traffic analysis, no real-time alerting. | Partial |
| 3.14.7 | Identify unauthorized use of organizational systems | PARTIAL. Audit log tracks access with timestamps. Failed login attempts logged. However: logs are client-side only (deletable by user), no weekly review occurs, no anomaly detection, and single shared account prevents identifying individual users. | Partial |
| Threat | Mitigation | Control(s) |
|---|---|---|
| Cross-Site Scripting (XSS) | CSP, input sanitization, no unsafe-inline scripts, X-XSS-Protection header | 3.14.2, 3.13.13 |
| Code Injection | No eval(), no dynamic script loading, CSP script-src 'self' | 3.14.2 |
| Clickjacking | X-Frame-Options DENY, CSP frame-ancestors 'none' | 3.13.1 |
| MIME Sniffing | X-Content-Type-Options nosniff | 3.13.2 |
| Credential Theft | SHA-256 hashing, account lockout, session timeout | 3.5.10, 3.5.6 |
| Data Exfiltration | CSP connect-src 'self', Referrer-Policy | 3.13.4, 3.13.6 |