Common use of VULNERABILITIES AND CORRECTIVE ACTION Clause in Contracts

VULNERABILITIES AND CORRECTIVE ACTION. 10.1 The Authority and the Supplier acknowledge that from time to time vulnerabilities in the Information System will be discovered which unless mitigated will present an unacceptable risk to the Data. 10.2 The severity of threat vulnerabilities for Supplier COTS Software and Third Party COTS Software shall be categorised by the Supplier as ‘Critical’, ‘Important’ and ‘Other’ by aligning these categories to the vulnerability scoring according to the agreed method in the Information Risk Management Documentation and using the appropriate vulnerability scoring systems including: 10.2.1 the ‘National Vulnerability Database’ ‘Vulnerability Severity Ratings’: ‘High’, ‘Medium’ and ‘Low’ respectively (these in turn are aligned to CVSS as set out by NIST ▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇/▇▇▇▇.▇▇▇); and 10.2.2 Microsoft’s ‘Security Bulletin Severity Rating System’ ratings ‘Critical’, ‘Important’, and the two remaining levels (‘Moderate’ and ‘Low’) respectively. 10.3 The Supplier shall procure the application of security patches to vulnerabilities in the Information System within a maximum period from the public release of such patches with those vulnerabilities categorised as ‘Critical’ within 7 days of release, ‘Important’ within 30 days of release and all ‘Other’ within 60 Working Days of release, except where: 10.3.1 the Supplier can demonstrate that a vulnerability in the Information System is not exploitable within the context of the Services (e.g. because it resides in a software component which is not running in the service) provided vulnerabilities which the Supplier asserts cannot be exploited within the context of the Services must be remedied by the Supplier within the above timescales if the vulnerability becomes exploitable within the context of the Services; 10.3.2 the application of a ‘Critical’ or ‘Important’ security patch adversely affects the Supplier’s ability to deliver the Services in which case the Supplier shall be granted an extension to such timescales of 5 days, provided the Supplier had followed and continues to follow the security patch test plan agreed with the Authority; or 10.3.3 the Authority agrees a different maximum period after a case-by-case consultation with the Supplier under the processes defined in the Information Risk Management Documentation. 10.4 The Information Risk Management Documentation shall include provisions for major version upgrades of all Supplier Software and Third Party Software which are COTS Products to be kept up to date such that all Supplier Software and Third Party Software which are COTS Products are always in mainstream support throughout the DMP Period unless otherwise agreed by the Authority in writing. 10.5 The Supplier shall: 10.5.1 implement a mechanism for receiving, analysing and acting upon threat information supplied by GovCertUK, or any other competent Central Government Body; 10.5.2 promptly notify GovCertUK of any actual or sustained attempted Breach of Security; 10.5.3 ensure that the Information System is monitored to facilitate the detection of anomalous behaviour that would be indicative of system compromise; 10.5.4 ensure it is knowledgeable about the latest trends in threat, vulnerability and exploitation that are relevant to the Information System by actively monitoring the threat landscape during the DMP Period; 10.5.5 pro-actively scan the Information System for vulnerable components and address discovered vulnerabilities through the processes described in the Information Risk Management Documentation; 10.5.6 ensure that the Board person responsible shall ensure that the service is patched in accordance with the timescales specified to achieve the security outcomes 10.5.7 propose interim mitigation measures to vulnerabilities in the Information System known to be exploitable where a security patch is not immediately available; 10.5.8 remove or disable any extraneous interfaces, services or capabilities that are not needed for the provision of the Services (in order to reduce the attack surface of the Information System); and 10.5.9 inform the Authority when it becomes aware of any new threat, vulnerability or exploitation technique that has the potential to affect the security of the Information System and provide initial indications of possible mitigations. 10.6 If the Supplier is unlikely to be able to mitigate the vulnerability within the timescales under Paragraph 10, the Supplier shall immediately notify the Authority. 10.7 A failure to comply with Paragraph 10.3 shall constitute a material Default.

VULNERABILITIES AND CORRECTIVE ACTION. 10.1 9.1 The Authority and the Supplier Parties acknowledge that from time to time vulnerabilities in the Information Management System will may be discovered which which, unless mitigated mitigated, will present an unacceptable risk to the Authority Data. 10.2 9.2 The severity of threat vulnerabilities for Supplier COTS Software and Third Party COTS Software shall be categorised by the Supplier as ‘Critical’, ‘Important’ and ‘Other’ by aligning these categories to the vulnerability scoring according to the agreed method in the Information Risk Security Management Documentation Plan and using the appropriate vulnerability scoring systems including: 10.2.1 (a) the ‘National Vulnerability Database’ ‘Vulnerability Severity Ratings’: ‘High’, ‘Medium’ and ‘Low’ respectively (these in turn are aligned to CVSS scores as set out by NIST at ▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇/▇▇▇▇.▇▇▇); and 10.2.2 (b) Microsoft’s ‘Security Bulletin Severity Rating System’ ratings ‘Critical’, ‘Important’, and the two remaining levels (‘Moderate’ and ‘Low’) respectively. 10.3 The 9.3 Subject to paragraph 9.4, the Supplier shall procure the application of security patches to vulnerabilities in the Information Management System within a maximum period from within: (a) 7 days after the public release of such patches with for those vulnerabilities categorised as ‘Critical’ within 7 ’; (b) 30 days after the public release of release, patches for those vulnerabilities categorised as ‘Important’ within ’; and (c) 30 days after the public release of release and all patches for those vulnerabilities categorised as ‘Other’ within 60 Working Days of release, except ’. 9.4 The timescales for applying patches to vulnerabilities in the Information Management System set out in paragraph 9.3 shall be extended where: 10.3.1 (a) the Supplier can demonstrate that a vulnerability in the Information Management System is not exploitable within the context of the Services (e.g. for example, because it resides in a software Software component which is not involved in running in the serviceServices) provided such vulnerabilities which the Supplier asserts cannot be exploited within the context of the Services must shall be remedied by the Supplier within the above timescales set out in paragraph 9.3 if the vulnerability becomes exploitable within the context of the Services; 10.3.2 (b) the application of a ‘Critical’ or ‘Important’ security patch adversely affects the Supplier’s ability to deliver the Services in which case the Supplier shall be granted an extension to such timescales of 5 days, provided the Supplier had followed and continues to follow the security patch test plan agreed with the Authority; or 10.3.3 (c) the Authority agrees a different maximum period after a case-by-case consultation with the Supplier under the processes defined in the Information Risk Security Management DocumentationPlan. 10.4 9.5 The Information Risk Security Management Documentation Plan shall include provisions for major version upgrades of all Supplier COTS Software and Third Party Software which are COTS Products to be kept up to date such that all Supplier COTS Software and Third Party Software which are COTS Products are always in mainstream support throughout the DMP Period Term unless otherwise agreed by the Authority in writing. 10.5 The Supplier shall: 10.5.1 implement a mechanism for receiving, analysing and acting upon threat information supplied by GovCertUK, or any other competent Central Government Body; 10.5.2 promptly notify GovCertUK of any actual or sustained attempted Breach of Security; 10.5.3 ensure that the Information System is monitored to facilitate the detection of anomalous behaviour that would . All COTS Software should be indicative of system compromise; 10.5.4 ensure it is knowledgeable about no more than N-1 versions behind the latest trends in threat, vulnerability and exploitation that are relevant to the Information System by actively monitoring the threat landscape during the DMP Period; 10.5.5 pro-actively scan the Information System for vulnerable components and address discovered vulnerabilities through the processes described in the Information Risk Management Documentation; 10.5.6 ensure that the Board person responsible shall ensure that the service is patched in accordance with the timescales specified to achieve the security outcomes 10.5.7 propose interim mitigation measures to vulnerabilities in the Information System known to be exploitable where a security patch is not immediately available; 10.5.8 remove or disable any extraneous interfaces, services or capabilities that are not needed for the provision of the Services (in order to reduce the attack surface of the Information System); and 10.5.9 inform the Authority when it becomes aware of any new threat, vulnerability or exploitation technique that has the potential to affect the security of the Information System and provide initial indications of possible mitigationssoftware release. 10.6 If the Supplier is unlikely to be able to mitigate the vulnerability within the timescales under Paragraph 10, the Supplier shall immediately notify the Authority. 10.7 A failure to comply with Paragraph 10.3 shall constitute a material Default.

VULNERABILITIES AND CORRECTIVE ACTION. 10.1 The Authority and the Supplier Parties acknowledge that from time to time vulnerabilities in the Information Management System will may be discovered which which, unless mitigated mitigated, will present an unacceptable risk to the Authority Data. 10.2 . The severity of threat vulnerabilities for Supplier COTS Software and Third Party COTS Software shall be categorised by the Supplier as ‘Critical’, ‘Important’ and ‘Other’ by aligning these categories to the vulnerability scoring according to the agreed method in the Information Risk Security Management Documentation Plan and using the appropriate vulnerability scoring systems including: 10.2.1 : the ‘National Vulnerability Database’ ‘Vulnerability Severity Ratings’: ‘High’, ‘Medium’ and ‘Low’ respectively (these in turn are aligned to CVSS scores as set out by NIST at ▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇/▇▇▇▇.▇▇▇); and 10.2.2 and Microsoft’s ‘Security Bulletin Severity Rating System’ ratings ‘Critical’, ‘Important’, and the two remaining levels (‘Moderate’ and ‘Low’) respectively. 10.3 The . Subject to paragraph 9.4, the Supplier shall procure the application of security patches to vulnerabilities in the Information Management System within a maximum period from within: 7 days after the public release of such patches with for those vulnerabilities categorised as ‘Critical’ within 7 ’; 30 days after the public release of release, patches for those vulnerabilities categorised as ‘Important’ within ’; and 30 days after the public release of release and all patches for those vulnerabilities categorised as ‘Other’ within 60 Working Days of release, except ’. The timescales for applying patches to vulnerabilities in the Information Management System set out in paragraph 9.3 shall be extended where: 10.3.1 : the Supplier can demonstrate that a vulnerability in the Information Management System is not exploitable within the context of the Services (e.g. for example, because it resides in a software Software component which is not involved in running in the serviceServices) provided such vulnerabilities which the Supplier asserts cannot be exploited within the context of the Services must shall be remedied by the Supplier within the above timescales set out in paragraph 9.3 if the vulnerability becomes exploitable within the context of the Services; 10.3.2 ; the application of a ‘Critical’ or ‘Important’ security patch adversely affects the Supplier’s ability to deliver the Services in which case the Supplier shall be granted an extension to such timescales of 5 days, provided the Supplier had followed and continues to follow the security patch test plan agreed with the Authority; or 10.3.3 or the Authority agrees a different maximum period after a case-by-case consultation with the Supplier under the processes defined in the Information Risk Security Management Documentation. 10.4 Plan. The Information Risk Security Management Documentation Plan shall include provisions for major version upgrades of all Supplier COTS Software and Third Party Software which are COTS Products to be kept up to date such that all Supplier COTS Software and Third Party Software which are COTS Products are always in mainstream support throughout the DMP Period Term unless otherwise agreed by the Authority in writing. 10.5 The Supplier shall: 10.5.1 implement a mechanism for receiving, analysing and acting upon threat information supplied by GovCertUK, or any other competent Central Government Body; 10.5.2 promptly notify GovCertUK of any actual or sustained attempted Breach of Security; 10.5.3 ensure that the Information System is monitored to facilitate the detection of anomalous behaviour that would . All COTS Software should be indicative of system compromise; 10.5.4 ensure it is knowledgeable about no more than N-1 versions behind the latest trends in threat, vulnerability and exploitation that are relevant to the Information System by actively monitoring the threat landscape during the DMP Period; 10.5.5 pro-actively scan the Information System for vulnerable components and address discovered vulnerabilities through the processes described in the Information Risk Management Documentation; 10.5.6 ensure that the Board person responsible shall ensure that the service is patched in accordance with the timescales specified to achieve the security outcomes 10.5.7 propose interim mitigation measures to vulnerabilities in the Information System known to be exploitable where a security patch is not immediately available; 10.5.8 remove or disable any extraneous interfaces, services or capabilities that are not needed for the provision of the Services (in order to reduce the attack surface of the Information System); and 10.5.9 inform the Authority when it becomes aware of any new threat, vulnerability or exploitation technique that has the potential to affect the security of the Information System and provide initial indications of possible mitigationssoftware release. 10.6 If the Supplier is unlikely to be able to mitigate the vulnerability within the timescales under Paragraph 10, the Supplier shall immediately notify the Authority. 10.7 A failure to comply with Paragraph 10.3 shall constitute a material Default.

VULNERABILITIES AND CORRECTIVE ACTION. 10.1 The Authority and the Supplier acknowledge that from time to time vulnerabilities in the Information Management System will be discovered which unless mitigated will present an unacceptable risk to the Authority Data. 10.2 . The severity of threat vulnerabilities for Supplier COTS Software and Third Party COTS Software shall be categorised by the Supplier as ‘Critical’, ‘Important’ and ‘Other’ by aligning these categories to the vulnerability scoring according to the agreed method in the Information Risk Security Management Documentation Plan and using the appropriate vulnerability scoring systems including: 10.2.1 : the ‘National Vulnerability Database’ ‘Vulnerability Severity Ratings’: ‘High’, ‘Medium’ and ‘Low’ respectively (these in turn are aligned to CVSS scores as set out by NIST at ▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇/▇▇▇▇.▇▇▇); and 10.2.2 and Microsoft’s ‘Security Bulletin Severity Rating System’ ratings ‘Critical’, ‘Important’, and the two remaining levels (‘Moderate’ and ‘Low’) respectively. 10.3 The . Subject to Paragraph .4, the Supplier shall procure the application of security patches to vulnerabilities in the Information Management System within a maximum period from within: seven (7) days after the public release of such patches with for those vulnerabilities categorised as ‘Critical’ within 7 ’; thirty (30) days after the public release of release, patches for those vulnerabilities categorised as ‘Important’ within 30 ’; and sixty (60) days after the public release of release and all patches for those vulnerabilities categorised as ‘Other’ within 60 Working Days of release, except ’. The timescales for applying patches to vulnerabilities in the Information Management System set out in Paragraph .3 shall be extended where: 10.3.1 : the Supplier can demonstrate that a vulnerability in the Information Management System is not exploitable within the context of the Services (e.g. because it resides in a software Software component which is not involved in running in the serviceServices) provided such vulnerabilities which the Supplier asserts cannot be exploited within the context of the Services must shall be remedied by the Supplier within the above timescales set out in Paragraph .3 if the vulnerability becomes exploitable within the context of the Services; 10.3.2 ; the application of a ‘Critical’ or ‘Important’ security patch adversely affects the Supplier’s ability to deliver the Services in which case the Supplier shall be granted an extension to such timescales of 5 five (5) days, provided the Supplier had followed and continues to follow the security patch test plan agreed with the Authority; or 10.3.3 or the Authority agrees a different maximum period after a case-by-case consultation with the Supplier under the processes defined in the Information Risk Security Management Documentation. 10.4 Plan. The Information Risk Security Management Documentation Plan shall include provisions for major version upgrades of all Supplier COTS Software and Third Party Software which are COTS Products to be kept up to date such that all Supplier COTS Software and Third Party Software which are COTS Products are always in mainstream support throughout the DMP Period Term unless otherwise agreed by the Authority in writing. 10.5 The Supplier shall: 10.5.1 implement a mechanism for receiving, analysing and acting upon threat information supplied by GovCertUK, or any other competent Central Government Body; 10.5.2 promptly notify GovCertUK of any actual or sustained attempted Breach of Security; 10.5.3 ensure that the Information System is monitored to facilitate the detection of anomalous behaviour that would . All COTS Software should be indicative of system compromise; 10.5.4 ensure it is knowledgeable about no more than N-1 versions behind the latest trends in threat, vulnerability and exploitation that are relevant to the Information System by actively monitoring the threat landscape during the DMP Period; 10.5.5 pro-actively scan the Information System for vulnerable components and address discovered vulnerabilities through the processes described in the Information Risk Management Documentation; 10.5.6 ensure that the Board person responsible shall ensure that the service is patched in accordance with the timescales specified to achieve the security outcomes 10.5.7 propose interim mitigation measures to vulnerabilities in the Information System known to be exploitable where a security patch is not immediately available; 10.5.8 remove or disable any extraneous interfaces, services or capabilities that are not needed for the provision of the Services (in order to reduce the attack surface of the Information System); and 10.5.9 inform the Authority when it becomes aware of any new threat, vulnerability or exploitation technique that has the potential to affect the security of the Information System and provide initial indications of possible mitigationssoftware release. 10.6 If the Supplier is unlikely to be able to mitigate the vulnerability within the timescales under Paragraph 10, the Supplier shall immediately notify the Authority. 10.7 A failure to comply with Paragraph 10.3 shall constitute a material Default.

VULNERABILITIES AND CORRECTIVE ACTION. 10.1 The Authority Customer and the Supplier acknowledge that from time to time vulnerabilities in the “THE SERVICE” Information System will be discovered which unless mitigated will present an unacceptable risk to the “THE SERVICE” Data. 10.2 The severity of threat vulnerabilities for Supplier COTS Software and Third Party COTS Software shall be categorised by the Supplier as ‘Critical’, ‘Important’ and ‘Other’ by aligning these categories to the vulnerability scoring according to the agreed method in the “THE SERVICE” Information Risk Management Documentation and using the appropriate vulnerability scoring systems including: 10.2.1 the ‘National Vulnerability Database’ ‘Vulnerability Severity Ratings’: ‘High’, ‘Medium’ and ‘Low’ respectively (these in turn are aligned to CVSS as set out by NIST ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇/vuln-metrics/▇▇▇▇.▇▇▇cvss ); and 10.2.2 Microsoft’s ‘Security Bulletin Severity Rating System’ ratings ‘Critical’, ‘Important’, and the two remaining levels (‘Moderate’ and ‘Low’) respectively. 10.3 The Supplier shall procure the application of security patches to vulnerabilities in the “THE SERVICE” Information System within a maximum period from the public release of such patches with those vulnerabilities categorised as ‘Critical’ within 7 days of release, ‘Important’ within 30 days of release and all ‘Other’ within 60 Working Days of release, except where: 10.3.1 the Supplier can demonstrate that a vulnerability in the “THE SERVICE” Information System is not exploitable within the context of the Services (e.g. because it resides in a software component which is not running in the service) provided vulnerabilities which the Supplier asserts cannot be exploited within the context of the Services must be remedied by the Supplier within the above timescales if the vulnerability becomes exploitable within the context of the Services; 10.3.2 the application of a ‘Critical’ or ‘Important’ security patch adversely affects the Supplier’s ability to deliver the Services in which case the Supplier shall be granted an extension to such timescales of 5 days, provided the Supplier had followed and continues to follow the security patch test plan agreed with the AuthorityCustomer; or 10.3.3 the Authority Customer agrees a different maximum period after a case-by-case consultation with the Supplier under the processes defined in the “THE SERVICE” Information Risk Management Documentation. 10.4 The “THE SERVICE” Information Risk Management Documentation shall include provisions for major version upgrades of all Supplier Software and Third Party Software which are COTS Products to be kept up to date such that all Supplier Software and Third Party Software which are COTS Products are always in mainstream support throughout the DMP Period Term unless otherwise agreed by the Authority Customer in writing. 10.5 The Supplier shall: 10.5.1 implement a mechanism for receiving, analysing and acting upon threat information supplied by GovCertUK, or any other competent Central Government Body; 10.5.2 promptly notify GovCertUK of any actual or sustained attempted Breach of Security; 10.5.3 ensure that the “THE SERVICE” Information System is monitored to facilitate the detection of anomalous behaviour that would be indicative of system compromise; 10.5.4 ensure it is knowledgeable about the latest trends in threat, vulnerability and exploitation that are relevant to the “THE SERVICE” Information System by actively monitoring the threat landscape during the DMP PeriodCommercial Agreement Term; 10.5.5 pro-actively scan the “THE SERVICE” Information System for vulnerable components and address discovered vulnerabilities through the processes described in the “THE SERVICE” Information Risk Management Documentation; 10.5.6 ensure that from the Board person responsible shall ensure that date specified in the service is Information Risk Management Approval plan and within 5 Working Days of the end of each subsequent month during the Term, provide the Customer with a written report which details both patched and outstanding vulnerabilities in accordance with the timescales specified to achieve “THE SERVICE” Information System and any elapsed time between the security outcomespublic release date of patches and either time of application or for outstanding vulnerabilities the time of issue of such report; 10.5.7 propose interim mitigation measures to vulnerabilities in the “THE SERVICE” Information System known to be exploitable where a security patch is not immediately available; 10.5.8 remove or disable any extraneous interfaces, services or capabilities that are not needed for the provision of the Services (in order to reduce the attack surface of the “THE SERVICE” Information System); and 10.5.9 inform the Authority Customer when it becomes aware of any new threat, vulnerability or exploitation technique that has the potential to affect the security of the “THE SERVICE” Information System and provide initial indications of possible mitigations. 10.6 If the Supplier is unlikely to be able to mitigate the vulnerability within the timescales under Paragraph 10, the Supplier shall immediately notify the AuthorityCustomer. 10.7 A failure to comply with Paragraph 10.3 shall constitute a material Default.

VULNERABILITIES AND CORRECTIVE ACTION. 10.1 The Authority and the Supplier acknowledge that from time to time vulnerabilities in the Information Management System will be discovered which unless mitigated will present an unacceptable risk to the Authority Data. 10.2 . The severity of threat vulnerabilities for Supplier COTS Software and Third Party COTS Software shall be categorised by the Supplier as ‘Critical’, ‘Important’ and ‘Other’ by aligning these categories to the vulnerability scoring according to the agreed method in the Information Risk Security Management Documentation Plan and using the appropriate vulnerability scoring systems including: 10.2.1 : the ‘National Vulnerability Database’ ‘Vulnerability Severity Ratings’: ‘High’, ‘Medium’ and ‘Low’ respectively (these in turn are aligned to CVSS scores as set out by NIST at ▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇/▇▇▇▇.▇▇▇); and 10.2.2 and Microsoft’s ‘Security Bulletin Severity Rating System’ ratings ‘Critical’, ‘Important’, and the two remaining levels (‘Moderate’ and ‘Low’) respectively. 10.3 The . Subject to Paragraph 99.4, the Supplier shall procure the application of security patches to vulnerabilities in the Information Management System within a maximum period from within: seven (7) days after the public release of such patches with for those vulnerabilities categorised as ‘Critical’ within 7 ’; thirty (30) days after the public release of release, patches for those vulnerabilities categorised as ‘Important’ within 30 ’; and sixty (60) days after the public release of release and all patches for those vulnerabilities categorised as ‘Other’ within 60 Working Days of release, except ’. The timescales for applying patches to vulnerabilities in the Information Management System set out in Paragraph 99.3 shall be extended where: 10.3.1 : the Supplier can demonstrate that a vulnerability in the Information Management System is not exploitable within the context of the Services (e.g. because it resides in a software Software component which is not involved in running in the serviceServices) provided such vulnerabilities which the Supplier asserts cannot be exploited within the context of the Services must shall be remedied by the Supplier within the above timescales set out in Paragraph 99.3 if the vulnerability becomes exploitable within the context of the Services; 10.3.2 ; the application of a ‘Critical’ or ‘Important’ security patch adversely affects the Supplier’s ability to deliver the Services in which case the Supplier shall be granted an extension to such timescales of 5 five (5) days, provided the Supplier had followed and continues to follow the security patch test plan agreed with the Authority; or 10.3.3 or the Authority agrees a different maximum period after a case-by-case consultation with the Supplier under the processes defined in the Information Risk Security Management Documentation. 10.4 Plan. The Information Risk Security Management Documentation Plan shall include provisions for major version upgrades of all Supplier COTS Software and Third Party Software which are COTS Products to be kept up to date such that all Supplier COTS Software and Third Party Software which are COTS Products are always in mainstream support throughout the DMP Period Term unless otherwise agreed by the Authority in writing. 10.5 The Supplier shall: 10.5.1 implement a mechanism for receiving, analysing and acting upon threat information supplied by GovCertUK, or any other competent Central Government Body; 10.5.2 promptly notify GovCertUK of any actual or sustained attempted Breach of Security; 10.5.3 ensure that the Information System is monitored to facilitate the detection of anomalous behaviour that would . All COTS Software should be indicative of system compromise; 10.5.4 ensure it is knowledgeable about no more than N-1 versions behind the latest trends in threat, vulnerability and exploitation that are relevant to the Information System by actively monitoring the threat landscape during the DMP Period; 10.5.5 pro-actively scan the Information System for vulnerable components and address discovered vulnerabilities through the processes described in the Information Risk Management Documentation; 10.5.6 ensure that the Board person responsible shall ensure that the service is patched in accordance with the timescales specified to achieve the security outcomes 10.5.7 propose interim mitigation measures to vulnerabilities in the Information System known to be exploitable where a security patch is not immediately available; 10.5.8 remove or disable any extraneous interfaces, services or capabilities that are not needed for the provision of the Services (in order to reduce the attack surface of the Information System); and 10.5.9 inform the Authority when it becomes aware of any new threat, vulnerability or exploitation technique that has the potential to affect the security of the Information System and provide initial indications of possible mitigationssoftware release. 10.6 If the Supplier is unlikely to be able to mitigate the vulnerability within the timescales under Paragraph 10, the Supplier shall immediately notify the Authority. 10.7 A failure to comply with Paragraph 10.3 shall constitute a material Default.

VULNERABILITIES AND CORRECTIVE ACTION. 10.1 The Authority HSE and the Supplier Provider acknowledge that from time to time vulnerabilities in the Information Management System will be discovered which unless mitigated will present an unacceptable risk to the HSE Data. 10.2 . The severity of threat vulnerabilities for Supplier COTS Software and Third Party COTS Software used by the Provider in the performance of the Services shall be categorised by the Supplier Provider as ‘Critical’, ‘Important’ and ‘Other’ by aligning these categories to the vulnerability scoring according to the agreed method in the Information Risk Security Management Documentation Plan and using the appropriate vulnerability scoring systems including: 10.2.1 : the ‘National Vulnerability Database’ ‘Vulnerability Severity Ratings’: ‘High’, ‘Medium’ and ‘Low’ respectively (these in turn are aligned to CVSS scores as set out by NIST at ▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇/▇▇▇▇.▇▇▇); and 10.2.2 and Microsoft’s ‘Security Bulletin Severity Rating System’ ratings ‘Critical’, ‘Important’, and the two remaining levels (‘Moderate’ and ‘Low’) respectively. 10.3 The Supplier . Subject to paragraph 9.4, the Provider shall procure the application of security patches to vulnerabilities in the Information Management System within a maximum period from within: seven (7) days after the public release of such patches with for those vulnerabilities categorised as ‘Critical’ within 7 ’; thirty (30) days after the public release of release, patches for those vulnerabilities categorised as ‘Important’ within 30 ’; and sixty (60) days after the public release of release and all patches for those vulnerabilities categorised as ‘Other’ within 60 Working Days of release, except ’. The timescales for applying patches to vulnerabilities in the Information Management System set out in paragraph 9.3 shall be extended where: 10.3.1 : the Supplier Provider can demonstrate that a vulnerability in the Information Management System is not exploitable within the context of the Services (e.g. because it resides in a software component which is not involved in running in the serviceServices) provided such vulnerabilities which the Supplier asserts cannot be exploited within the context of the Services must shall be remedied by the Supplier Provider within the above timescales set out in paragraph 9.3 if the vulnerability becomes exploitable within the context of the Services; 10.3.2 ; the application of a ‘Critical’ or ‘Important’ security patch adversely affects the SupplierProvider’s ability to deliver the Services in which case the Supplier Provider shall be granted an extension to such timescales of 5 five (5) days, provided the Supplier Provider had followed and continues to follow the security patch test plan agreed with the AuthorityHSE; or 10.3.3 the Authority or HSE agrees a different maximum period after a case-by-case consultation with the Supplier Provider under the processes defined in the Information Risk Security Management Documentation. 10.4 Plan. The Information Risk Security Management Documentation Plan shall include provisions for major version upgrades of all Supplier COTS Software and Third Party Software which are COTS Products to be kept up to date such that all Supplier COTS Software and Third Party Software which are COTS Products are always in mainstream support throughout the DMP Period Term unless otherwise agreed by the Authority HSE in writing. 10.5 The Supplier shall: 10.5.1 implement a mechanism for receiving, analysing and acting upon threat information supplied by GovCertUK, or any other competent Central Government Body; 10.5.2 promptly notify GovCertUK of any actual or sustained attempted Breach of Security; 10.5.3 ensure that the Information System is monitored to facilitate the detection of anomalous behaviour that would . All COTS Software should be indicative of system compromise; 10.5.4 ensure it is knowledgeable about no more than N-1 versions behind the latest trends in threat, vulnerability and exploitation that are relevant to the Information System by actively monitoring the threat landscape during the DMP Period; 10.5.5 pro-actively scan the Information System for vulnerable components and address discovered vulnerabilities through the processes described in the Information Risk Management Documentation; 10.5.6 ensure that the Board person responsible shall ensure that the service is patched in accordance with the timescales specified to achieve the security outcomes 10.5.7 propose interim mitigation measures to vulnerabilities in the Information System known to be exploitable where a security patch is not immediately available; 10.5.8 remove or disable any extraneous interfaces, services or capabilities that are not needed for the provision of the Services (in order to reduce the attack surface of the Information System); and 10.5.9 inform the Authority when it becomes aware of any new threat, vulnerability or exploitation technique that has the potential to affect the security of the Information System and provide initial indications of possible mitigationssoftware release. 10.6 If the Supplier is unlikely to be able to mitigate the vulnerability within the timescales under Paragraph 10, the Supplier shall immediately notify the Authority. 10.7 A failure to comply with Paragraph 10.3 shall constitute a material Default.