💼 RA-5 VULNERABILITY SCANNING
- ID:
/frameworks/nist-sp-800-53-r4/ra/05
Description​
The organization: RA-5a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported; RA-5b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: RA-5b.1. Enumerating platforms, software flaws, and improper configurations; RA-5b.2. Formatting checklists and test procedures; and RA-5b.3. Measuring vulnerability impact; RA-5c. Analyzes vulnerability scan reports and results from security control assessments; RA-5d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and RA-5e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).
Similar​
- Internal
- ID:
dec-c-89257a0f
- ID:
Similar Sections (Give Policies To)​
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| 💼 NIST CSF v1.1 → 💼 DE.CM-8: Vulnerability scans are performed | 7 | 7 | no data | ||
| 💼 NIST CSF v1.1 → 💼 DE.DP-4: Event detection information is communicated | 29 | 33 | no data | ||
| 💼 NIST CSF v1.1 → 💼 DE.DP-5: Detection processes are continuously improved | 13 | 16 | no data | ||
| 💼 NIST CSF v1.1 → 💼 ID.RA-1: Asset vulnerabilities are identified and documented | 13 | 16 | no data | ||
| 💼 NIST CSF v1.1 → 💼 PR.IP-12: A vulnerability management plan is developed and implemented | 7 | 9 | no data | ||
| 💼 NIST CSF v1.1 → 💼 RS.CO-3: Information is shared consistent with response plans | 16 | 18 | no data | ||
| 💼 NIST CSF v1.1 → 💼 RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks | 7 | 7 | no data |
Sub Sections​
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| 💼 RA-5 (1) UPDATE TOOL CAPABILITY | no data | ||||
| 💼 RA-5 (2) UPDATE BY FREQUENCY _ PRIOR TO NEW SCAN _ WHEN IDENTIFIED | no data | ||||
| 💼 RA-5 (3) BREADTH _ DEPTH OF COVERAGE | no data | ||||
| 💼 RA-5 (4) DISCOVERABLE INFORMATION | no data | ||||
| 💼 RA-5 (5) PRIVILEGED ACCESS | no data | ||||
| 💼 RA-5 (6) AUTOMATED TREND ANALYSES | no data | ||||
| 💼 RA-5 (7) AUTOMATED DETECTION AND NOTIFICATION OF UNAUTHORIZED COMPONENTS | no data | ||||
| 💼 RA-5 (8) REVIEW HISTORIC AUDIT LOGS | no data | ||||
| 💼 RA-5 (9) PENETRATION TESTING AND ANALYSES | no data | ||||
| 💼 RA-5 (10) CORRELATE SCANNING INFORMATION | no data |