Skip to main content

πŸ’Ό RA-5 VULNERABILITY SCANNING

  • Contextual name: πŸ’Ό RA-5 VULNERABILITY SCANNING
  • ID: /frameworks/nist-sp-800-53-r4/ra/05
  • Located in: πŸ’Ό RA RISK ASSESSMENT

Description​

The organization: RA-5a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported; RA-5b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: RA-5b.1. Enumerating platforms, software flaws, and improper configurations; RA-5b.2. Formatting checklists and test procedures; and RA-5b.3. Measuring vulnerability impact; RA-5c. Analyzes vulnerability scan reports and results from security control assessments; RA-5d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and RA-5e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).

Similar​

  • Internal
    • ID: dec-c-89257a0f

Similar Sections (Give Policies To)​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-8: Vulnerability scans are performed77
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.DP-4: Event detection information is communicated3033
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.DP-5: Detection processes are continuously improved1416
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό ID.RA-1: Asset vulnerabilities are identified and documented1415
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.IP-12: A vulnerability management plan is developed and implemented78
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό RS.CO-3: Information is shared consistent with response plans1617
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks77

Sub Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό RA-5 (1) UPDATE TOOL CAPABILITY
πŸ’Ό RA-5 (2) UPDATE BY FREQUENCY _ PRIOR TO NEW SCAN _ WHEN IDENTIFIED
πŸ’Ό RA-5 (3) BREADTH _ DEPTH OF COVERAGE
πŸ’Ό RA-5 (4) DISCOVERABLE INFORMATION
πŸ’Ό RA-5 (5) PRIVILEGED ACCESS
πŸ’Ό RA-5 (6) AUTOMATED TREND ANALYSES
πŸ’Ό RA-5 (7) AUTOMATED DETECTION AND NOTIFICATION OF UNAUTHORIZED COMPONENTS
πŸ’Ό RA-5 (8) REVIEW HISTORIC AUDIT LOGS
πŸ’Ό RA-5 (9) PENETRATION TESTING AND ANALYSES
πŸ’Ό RA-5 (10) CORRELATE SCANNING INFORMATION