Skip to main content

💼 RA-5 VULNERABILITY SCANNING

  • Contextual name: 💼 RA-5 VULNERABILITY SCANNING
  • ID: /frameworks/nist-sp-800-53-r4/ra/05
  • Located in: 💼 RA RISK ASSESSMENT

Description​

The organization: RA-5a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported; RA-5b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: RA-5b.1. Enumerating platforms, software flaws, and improper configurations; RA-5b.2. Formatting checklists and test procedures; and RA-5b.3. Measuring vulnerability impact; RA-5c. Analyzes vulnerability scan reports and results from security control assessments; RA-5d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and RA-5e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).

Similar​

  • Internal
    • ID: dec-c-89257a0f

Similar Sections (Give Policies To)​

SectionSub SectionsInternal RulesPoliciesFlags
💼 NIST CSF v1.1 → 💼 DE.CM-8: Vulnerability scans are performed77
💼 NIST CSF v1.1 → 💼 DE.DP-4: Event detection information is communicated2932
💼 NIST CSF v1.1 → 💼 DE.DP-5: Detection processes are continuously improved1315
💼 NIST CSF v1.1 → 💼 ID.RA-1: Asset vulnerabilities are identified and documented1315
💼 NIST CSF v1.1 → 💼 PR.IP-12: A vulnerability management plan is developed and implemented79
💼 NIST CSF v1.1 → 💼 RS.CO-3: Information is shared consistent with response plans1617
💼 NIST CSF v1.1 → 💼 RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks77

Sub Sections​

SectionSub SectionsInternal RulesPoliciesFlags
💼 RA-5 (1) UPDATE TOOL CAPABILITY
💼 RA-5 (2) UPDATE BY FREQUENCY _ PRIOR TO NEW SCAN _ WHEN IDENTIFIED
💼 RA-5 (3) BREADTH _ DEPTH OF COVERAGE
💼 RA-5 (4) DISCOVERABLE INFORMATION
💼 RA-5 (5) PRIVILEGED ACCESS
💼 RA-5 (6) AUTOMATED TREND ANALYSES
💼 RA-5 (7) AUTOMATED DETECTION AND NOTIFICATION OF UNAUTHORIZED COMPONENTS
💼 RA-5 (8) REVIEW HISTORIC AUDIT LOGS
💼 RA-5 (9) PENETRATION TESTING AND ANALYSES
💼 RA-5 (10) CORRELATE SCANNING INFORMATION