Risk Assessment (RA)

a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported; b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1. Enumerating platforms, software flaws, and improper configurations; 2. Formatting checklists and test procedures; and 3. Measuring vulnerability impact; c. Analyze vulnerability scan reports and results from vulnerability monitoring; d. Remediate legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; e. Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.

Login

Risk Assessment (RA)

[Withdrawn: Incorporated into RA-5.]

Login

Risk Assessment (RA)

Update the system vulnerabilities to be scanned [Selection (one or more): [Assignment: organization-defined frequency]; prior to a new scan; when new vulnerabilities are identified and reported].

Login

Risk Assessment (RA)

Define the breadth and depth of vulnerability scanning coverage.

Login

Risk Assessment (RA)

Determine information about the system that is discoverable and take [Assignment: organization-defined corrective actions].

Login

Risk Assessment (RA)

Implement privileged access authorization to [Assignment: organization-defined system components] for [Assignment: organization-defined vulnerability scanning activities].

Login

Risk Assessment (RA)

Compare the results of multiple vulnerability scans using [Assignment: organization-defined automated mechanisms].

Login

Risk Assessment (RA)

[Withdrawn: Incorporated into CM-8.]

Login

Risk Assessment (RA)

Review historic audit logs to determine if a vulnerability identified in a [Assignment: organization-defined system] has been previously exploited within an [Assignment: organization-defined time period].

Login

Risk Assessment (RA)

[Withdrawn: Incorporated into CA-8.]

Login