← Custodia
Practice 12 of 15·FAR 52.204-21(b)(1)(xii)·SISystem & Information Integrity

SI.L1-b.1.xii

Identify, report, and fix system flaws on time

Patch your systems. When Microsoft, Apple, or your router vendor ships a security update, install it — not eventually, but on a defined cadence. Have a way to know about flaws (vendor updates, security bulletins) and a defined window to act.

Official text

Identify, report, and correct information and information system flaws in a timely manner.

FAR 52.204-21(b)(1)(xii), CMMC Level 1 v2.13 Assessment Guide

What evidence satisfies this

Any one of these, by itself, won't satisfy the practice — but showing a few of them together is what an assessor or a prime contractor expects to see:

  • Automatic Windows / macOS / Chrome OS updates enabled on every endpoint.
  • A documented patch window: e.g. "all critical updates applied within 14 days."
  • Firmware update log for the firewall / router.
  • Software inventory: what apps are installed, what version, last update.
  • Browser auto-update enabled (Chrome, Edge, Firefox).

Common ways small shops fail this

  • Windows Updates paused indefinitely because "it slowed down the shop PC."
  • Router firmware that hasn't been updated in five years.
  • Office and Adobe apps stuck on long-EOL versions.
  • Macs that show "updates available" for months in the dock.
  • Browser plugins (Java, old extensions) still installed and outdated.

How to fix it in a weekend

  1. 1Turn on automatic updates on every device. Restart weekly.
  2. 2Log into the firewall / router monthly, check for firmware updates, apply them.
  3. 3Set a 14-day patch window for critical and high-severity updates and document it.
  4. 4Subscribe to one security newsletter (US-CERT / CISA alerts is free) so you hear about active threats.
  5. 5Quarterly: walk through installed software, remove anything you don't use.

FAQ

Does "timely" mean a specific number of days?+

The FAR doesn't define a number. Industry practice is 14–30 days for critical patches and 90 days for everything else; pick a number you can actually meet, write it down, and follow it. "We patch when we feel like it" fails the practice; "we apply critical patches within 14 days" is defensible.

Related references

Clause

FAR 52.204-21Basic Safeguarding of Covered Contractor Information Systems

Glossary

FAR 52.204-21

Doing all 15 yourself? Use the checklist.

Custodia's free CMMC Level 1 checklist walks the same 15 requirements with a self-assessment workflow, generates your SSP and affirmation memo, and posts your SPRS score for you.

Open the checklist →
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements — no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

Take the free SPRS quizStart 7-day free trial

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual — two months free)