3.14.3 — Act on Advisories

What It Says

Monitor system security alerts and advisories and take action in response.

What It Actually Means

Three things, all required:

Monitor. You subscribe to and regularly review security alerts and advisories from relevant sources. Not just one source — multiple, covering the technologies in your CUI environment. Sources include: CISA alerts and the Known Exploited Vulnerabilities (KEV) catalog, Microsoft Security Response Center (MSRC), vendor security bulletins for every major product you use, and industry-specific threat feeds. The assessor will ask: “What sources do you monitor? How often?”
Evaluate. When an advisory arrives, someone determines whether it’s relevant to your environment. Does the affected software or hardware exist in your CUI systems? What’s the severity? Is it being actively exploited? Not every advisory requires action — but every advisory requires evaluation.
Take action. For relevant advisories, you respond with a documented action: emergency patching, configuration change, compensating control, risk acceptance, or communication to affected personnel. The key word is “documented” — the assessor wants to see evidence of the advisory, the evaluation, and the response.

This feeds directly into your patch management process (3.14.1). Advisories often trigger the “identify” step of flaw remediation. But this requirement is broader than patching — some advisories require configuration changes, network blocks, or operational procedure changes rather than patches.

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Are response actions to alerts and advisories identified?	Defined response categories: patch, configure, block, accept risk, communicate — per severity
2	Are system security alerts and advisories monitored?	Documented list of monitored sources; evidence of regular review (email subscriptions, RSS feeds, log of reviews)
3	Are actions taken in response to relevant advisories?	For each relevant advisory: documented evaluation, decided action, implementation record

What to Have Ready on Assessment Day

Documents they’ll review: System and information integrity policy; procedures addressing security alerts and advisories; system security plan; records of advisories received and evaluated; response action records; CISA KEV tracking log

People they’ll talk to: Personnel with security alert and advisory responsibilities; information security personnel; system administrators; anyone who evaluates or acts on advisories

Live demos they’ll ask for: “Show me your advisory sources. How do you receive them?” “Show me the last CISA KEV addition relevant to your environment — what did you do?” “Walk me through a recent advisory from receipt to action.”

The Assessor’s Playbook

These are the actual questions. Have answers ready.

“What sources do you monitor for security advisories? Show me.”
“How often do you review advisories?”
“Show me a recent advisory that was relevant to your environment. What action did you take?”
“How do you determine whether an advisory applies to your systems?”
“Show me your CISA KEV tracking — are all relevant KEV items addressed?”
“What’s your response timeframe for advisories based on severity?”

A defense contractor monitors five sources: CISA alerts via email subscription, CISA KEV catalog (checked weekly), MSRC monthly security updates, Palo Alto security advisories, and the Defender Threat Intelligence feed in Sentinel. The IT Security Lead reviews advisories every Monday and after any CISA emergency directive. Each advisory is logged in a tracking spreadsheet with: date received, source, affected product, relevance to CUI environment (yes/no), severity, decided action, and implementation date. When a critical Palo Alto PAN-OS vulnerability appears in CISA KEV, the team evaluates within 4 hours — confirms the affected firmware version is running on their firewall — creates an emergency change ticket — patches within 48 hours — and runs a follow-up scan to verify. The entire chain is documented: advisory email, tracking log entry, change ticket, patch record, and scan result. The assessor reviews the tracking log for the past six months and sees consistent evaluation and response for all relevant advisories.

Where Companies Trip Up

No monitoring. Nobody subscribes to security advisory feeds. The assessor asks “what advisory sources do you monitor?” and the answer is “we check when we hear about something.” Subscribe to CISA alerts, vendor security bulletins, and relevant threat feeds.

Advisories received but not evaluated. Emails arrive and sit unread. The assessor asks about a specific recent advisory and nobody can say whether it was relevant. Assign a person to triage advisories on a defined schedule.

Action taken but not documented. A critical advisory was received, the team patched urgently, but nobody recorded the chain of events. Documentation is what turns “we handled it” into evidence. Log every advisory evaluation and response.

Incomplete sources. Only Microsoft advisories are monitored, but the environment also includes Palo Alto firewalls, Cisco switches, and third-party applications — none of which have advisory subscriptions. Monitor sources for every significant technology in your CUI environment.

How to Talk About This

Connected Requirements

Requirement	Why it matters here
3.14.1 — Patch Your Systems	Advisories feed the flaw identification and remediation process
3.3.3 — Review What You Log	Advisories may reveal new event types to add to logging configuration
3.11.1 — Assess Risk	Advisory evaluation is a form of ongoing risk assessment
3.14.6 — Watch the Network	Advisories about active exploits may require new monitoring rules

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

CMMC Practice ID: SI.L2-3.14.3 | SPRS Weight: 5 points | POA&M Eligible: No