03.14.01 — (a) Identify, report, and correct system flaws. (b) Install security-relevant software and firmware updates within {{ insert: param, A.03.14.01.ODP.01 }} of the release of the updates.

What this control requires

(a) Identify, report, and correct system flaws. (b) Install security-relevant software and firmware updates within {{ insert: param, A.03.14.01.ODP.01 }} of the release of the updates.

Source: NIST SP 800-171 R3 §03.14.01 (official control text).

Why this matters

Unpatched software is the number one entry point for attackers. Every day a critical vulnerability remains unaddressed, adversaries have a documented blueprint for breaking in. This control requires organizations to systematically find flaws, test fixes, and deploy patches within defined timelines—typically 30 days for standard updates, shorter for critical vulnerabilities. It protects against ransomware, data breaches, and system compromises that exploit known weaknesses. Without disciplined patch management, even sophisticated security controls become irrelevant because attackers simply walk through open doors that published CVEs have already unlocked.

What evidence assessors expect

Assessors typically look for: PDF, screenshot, CSV export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls