+OPS-25.01AC

1. Übersicht

OPS-25.01AC

Time frames for the initiation of remediation or mitigation efforts after a vulnerability is identified are defined and monitored according to a risk-based classification framework. This framework incorporates, but is not limited to, the CVSS severity level of vulnerabilities.

An example of a framework for risk-based classification and definition of time frames can be:

1. Critical (CVSS = 9.0 - 10.0): 24 - 48 hours;
2. High (CVSS = 7.0 - 8.9): 48 - 72 hours;
3. Medium (CVSS = 4.0 - 6.9): 5 days; and
4. Low (CVSS = 0.1 - 3.9): 1 month.

Bezeichnung	Standard

1.1 Referenzen

1.2 Identifizierte Anforderungen

1.2 Related Regulation

2. Identifizierte Anforderungen

Anforderungen
Source	Anforderung

3. Related Regulations

Regulations
Source	Regulierung

Cloud Computing Compliance Criteria Catalogue (C5:2026) -
Copyright by Bundesamt für Sicherheit in der Informationstechnik (https://www.bsi.bund.de/)

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Cloud-Computing/Kriterienkatalog-C5/C5_2025/C5_2025_node.html