Sorry, you need to enable JavaScript to visit this website.


Office of the Chief Technology Officer

DC Agency Top Menu

-A +A
Bookmark and Share

Vulnerability Management Policy

Approved Date – 02/22/2021
Published Date – 02/22/2021
Revised Date – 02/23/2023

1. Purpose

Ensure the identification and prompt remediation of security vulnerabilities on the IT assets belonging to the District of Columbia Government ("District”).

2. Authority

DC Official Code § 1-1401 et seq., provides the Office of the Chief Technology Office (“OCTO”) with the authority to provide information technology (IT) services, write and enforce IT policies, and secure the network and IT systems for the District’s government agencies under the authority of the District’s Mayor. This document can be found at:

3. Applicability

This policy applies to all the District workforce members performing official functions related to the management of the Virtual Private Network tools and processes on behalf of the District government, and/or any District agency/entity that receives enterprise services from OCTO. In addition, this policy applies to any provider and third-party entity with access to the District’s information, systems, network, and applications.

4. Policy

All the District agencies and departments must develop or adhere to a strategy which demonstrates compliance with this policy and its related standards.  

The District Government's agencies must develop and review or update annually and after change to the policy, a procedure in support of this policy with the following requirements.

4.1. Vulnerability Scanning Timeline 

All systems and devices connected to the District’s Network must be scanned every quarter by the OCTO Vulnerability Management Team.   

4.2. Authenticated Scanning 

All systems and devices owned by the District must be scanned via an authenticated scan for increased accuracy.  

4.3. Vulnerability Scan Report Validation 

All scan results must be verified by the Vulnerability Management team with the device or network manager so that potential false positives can be identified and eliminated. 

4.4. Vulnerability Report (Remedy) Tickets

The vulnerability management team must generate an incident ticket for every vulnerability on the vulnerability scan report and assign the ticket to relevant system owners or managers for remediation. 

4.5. Vulnerability Remediation Timeline 

All vulnerabilities must be prioritized for remediation with the timeline according to their severity level. 

Severity Level

Remediation Timeline

Risk Description


30 days

Intruders can easily gain control of the host, which can lead to the compromise of your entire network. Vulnerabilities include read and write access to files, remote execution of commands, and backdoors.


30 days

Intruders can potentially gain control of the host or collect highly sensitive information including "read" access to file, potential backdoors, or a listing of all user accounts on the host.


90 days

Intruders can gain access to security settings on the host, which could lead to access to files and disclosure of file contents, directory browsing, denial of service attacks, and unauthorized use of services.



Intruders can collect sensitive information from the host, such as software versions installed, which can reveal known vulnerabilities.



Intruders can collect information about the host via open ports or services, which can lead to the disclosure of other vulnerabilities.

4.6 Request for Waiver

When vulnerabilities cannot be remediated within the timeline stated in 4.5 above, the system owner must submit a “request for a waiver” to the offices of the Chief Information Security Officer (“CISO”) and the Chief Technology Officer (“CTO”) for OCTO. The request must contain the following information:

4.6.1. Details of the system.

4.6.2. The business justification for the request.

4.6.3. Details of existing controls (if any).

4.6.4. New timeline being requested.

4.6.5. Plan of action of action & milestones (POA&M) to remediate on or before the expiration of the new timeline.

4.7 Application and Server Development

All new applications and servers being developed by the build team must be scanned for vulnerabilities before they are deployed to the production environment.

5. Exemptions

Exceptions to this policy shall be requested in writing to the Agency’s CIO and the request will be escalated to the OCTO Chief Information Security Officer (“CISO”) for approval.

6. Definitions

The definition of the terms used in this document can be found in the Policy Definitions website.