v2.4.0 | Report Errata
docs security docs security

Continuous Scanning & Remediation SLAs

Continuous vulnerability scanning covers all system components: application code dependencies, container images, infrastructure configurations, and operating system packages. Scans run both in the CI pipeline (catching vulnerabilities before deployment) and against production environments on a scheduled basis (catching vulnerabilities disclosed after deployment).

Critical and high-severity vulnerabilities have documented remediation timelines. The recommended timelines are 72 hours for critical findings and 30 days for high-severity findings. These SLAs are documented in the AISDP and tracked in a vulnerability management register. The register records each vulnerability’s identifier (CVE or equivalent), severity, affected component, discovery date, remediation deadline, remediation status, and the identity of the person responsible.

The remediation SLAs are compliance commitments. A critical vulnerability that remains unpatched beyond the SLA is a non-conformity tracked in the non-conformity register. The vulnerability count by severity and the remediation status are reported to the governance team as Module 9 compliance metrics. The security team retains scan results and remediation records as Module 9 evidence.

Key outputs

  • Continuous scanning across all component layers
  • Documented remediation SLAs (critical: 72 hours; high: 30 days)
  • Vulnerability management register with tracking per finding
  • Module 9 AISDP evidence
On This Page