...
Recording and communication could be as simple as assigning tickets to appropriate service operators.
[OS3]
A process to manage vulnerabilities (including reporting and disclosure) in any software distributed within the infrastructure. This process must be sufficiently dynamic to respond to changing threat environments.
This item differs from the patch management process in that it is about software owned or distributed by the infrastructure to the service providers. In OS2 we might be talking about an XSS flaw in the user portal or website for the infrastructure, whereas her we might be talking about accounting or job submission software pushed out to all the service operators.
This process could be as simple as a regular meeting to discuss new vulnerabilities, e.g., the latest OpenSSL flaws, to determine the impact on software distributed by the infrastructure along with an email list to distribute such information to each service operator.
...
Some explanations from Dave Kelsey (my personal views - recalling the history)
...