The fix function of the VM process also varies from organization to organization. It could be that the same person who is scanning is also the one who is fixing. Likewise, it is also possible for the person fixing to be the one receiving the vulnerability report. Either way, there needs to be prioritization of what to fix. In reporting, we prioritized how we are going to report based on the impact that a particular system(s) or application(s) has on the organization.

The Capability Maturity Model for fix, at least in my mind, should be running in parallel to what we are building for reporting. What we are trying to achieve is that once high impact systems and applications have been identified and reported on, we will need to prioritize how those items will be addressed.  

Let's take a look at an example of this:

This Capability Maturity Model includes what we have learned in the previous sections, which is the Common Vulnerability Scoring System that will help our stakeholders identify what they should fix first with an added twist. We need to reduce the exposure to exploitation of these vulnerabilities on systems. Like the example with the systems administrator who is being buried in reports, there may be hundreds of vulnerabilities in them. Without regarding risk exceptions, we should know the average number of vulnerabilities by their severity that exist on each system, and this maturity model takes that into account with one exception: the averages are defined by you and the organization.