Hello Chris,

We had a similar situation in our implementation where risk rating is changed often based on business needs. This is not any fault of the remediation owner and we do not like to penalize them by suddenly changing remediation targets. I have implemented some customization on SI - VulnerabilityTTRUtil particularly on  _setRemediationRule function to adjust remediation targets if risk rating changed on a record.

Few considerations here:

1. if the risk of a vulnerability moves higher (i.e. Medium 90 days to High 30 days; or High 30 days to Critical 7 days), the target days for the revised risk rating will begin on the day of the risk change.

2. The new reduced SLA day count should not go longer than the original longer day count.

3. If a VIT has no target and then gets re-risk ranked to have a target then add target days to current date(day of risk change)

4. If a VIT moves from orphaned asset or unmatched CI to an actual group, add target days to current date so remediation teams get full allocated time once the ticket reaches their queue

5. Last but not least, as with any customizations to OOB code, please make sure this is documented well with comments.

Please let me know if this helped.

Thanks,

Harish Viswanathan