Vulnerability Scans. The Contractor shall perform vulnerability scans on Contractor applications that receive, process, store, transmit, access or protect sensitive OAG Protected Data and SAVNS Data. These scans shall be performed on both the Application and/or Operating System (OS) on at least a quarterly basis. In addition, the Contractor shall perform scans for any major system change in the application, OS, or server to identify any potential vulnerabilities that are introduced with the release of new software or hardware. The Contractor shall provide a report to the OAG Contract Manager within two (2) Business Days after the scan has been performed. To track all previous and/or new security vulnerabilities that may exist within a system, a Plan of Action and Milestones spreadsheet shall be utilized for each system/application. This spreadsheet will be a means for both the OAG and the Contractor to track the status of previous and newly discovered security vulnerabilities with the details of the steps taken to completion. 14.3.3.1 Remediation of critical and high vulnerabilities is required within thirty (30) calendar days unless the effort can be shown to be problematic. Remediation of medium vulnerabilities are on a case-by-case basis agreed to by the parties within sixty (60) calendar days. Remediations of low vulnerabilities is not required.
Appears in 3 contracts
Sources: Service Agreement, Service Agreement, Service Agreement