CPCSC Level 1 Control
03.14.01System and information integrity

CPCSC 03.14.01: Flaw remediation

Identify, report, prioritize, and fix software and firmware flaws within defined timelines. This guide separates the formal control language from practical implementation, evidence, auditor questions, and related controls.

Open Level 1 Self-Assessment Browse Control Library

Formal Control Language

Official CPCSC Level 1 wording for 03.14.01. Use the Government of Canada page as the source of truth for certification or procurement submissions.

  • The time within which to install security-relevant software updates is defined.
  • The time within which to install security-relevant firmware updates is defined.
  • System flaws are identified, reported, and corrected.
  • Security-relevant software updates are installed within the defined time period.
  • Security-relevant firmware updates are installed within the defined time period.

Contains information sourced from Government of Canada material used under the Open Government Licence - Canada.

What This Means In Plain English

Patch the systems that matter, know when patching is late, and document what happens when a patch cannot be applied.

This includes laptops, servers, cloud workloads, network devices, applications, libraries, containers, firmware, and vendor-managed systems where relevant.

For CPCSC Level 1, the useful test is not whether a policy mentions the control. The useful test is whether an owner can show the system setting, record, ticket, review output, or operating routine that proves the answer is true today and can be repeated when the next contract, customer, or assessment request arrives.

How To Implement It

1

Define patch timelines by severity or source, such as critical updates within a set number of days and routine updates on a monthly cadence.

2

Use endpoint management, vulnerability scanning, cloud posture tools, package managers, MSP reports, or vendor portals to find missing updates.

3

Track remediation in tickets or a remediation register with owner, due date, status, exception, and validation evidence.

4

Include firmware, network appliances, developer dependencies, SaaS advisories, and vendor-managed systems in the review.

5

Document accepted delays with reason, compensating controls, target date, and approval.

Evidence Normally Gathered

Patch policy or remediation standard.

Endpoint patch compliance report.

Vulnerability scan summary.

Remediation tickets and closure records.

Firmware update records.

Exception register and approval notes.

MSP or vendor patch reports.

Common Auditor Questions

What are your patch timelines for software and firmware?

How do you find flaws or missing patches?

Show me a recent critical or high-risk remediation ticket.

Who approves exceptions or delayed remediation?

How do you confirm a patch was actually installed?