home || catalog: SP800-53rev3 / class: Management / family: (RA) Risk Assessment ||
search controls:
search nistpubs:

AC
AT
AU
CA
CM
CP
IA
IR
MA
MP
PE
PL
PM
PS
RA

RA-01
RA-02
RA-03
RA-04
RA-05 *

SA
SC
SI
MMMMM

  RA-05: Vulnerability Scanning  

base control objective:
The organization:
a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;
b. Employs vulnerability scanning tools and techniques that promote interoperability among tools and automate parts of the vulnerability management process by using standards for: - Enumerating platforms, software flaws, and improper configurations; - Formatting and making transparent, checklists and test procedures; and - Measuring vulnerability impact;
c. Analyzes vulnerability scan reports and results from security control assessments;
d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and
e. Shares information obtained from the vulnerability scanning process and security control assessments with designated personnel throughout the organization to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).

supplemental objective information:
The security categorization of the information system guides the frequency and comprehensiveness of the vulnerability scans. Vulnerability analysis for custom software and applications may require additional, more specialized techniques and approaches (e.g., web-based application scanners, source code reviews, source code analyzers). Vulnerability scanning includes scanning for specific functions, ports, protocols, and services that should not be accessible to users or devices and for improperly configured or incorrectly operating information flow mechanisms. The organization considers using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and use the Open Vulnerability Assessment Language (OVAL) to test for the presence of vulnerabilities. The Common Weakness Enumeration (CWE) and the National Vulnerability Database (NVD) are also excellent sources for vulnerability information. In addition, security control assessments such as red team exercises are another source of potential vulnerabilities for which to scan.

enhancements to the base objective:

(1) The organization employs vulnerability scanning tools that include the capability to readily update the list of information system vulnerabilities scanned.

(2) The organization updates the list of information system vulnerabilities scanned [Assignment: organization-defined frequency] or when new vulnerabilities are identified and reported.

(3) The organization employs vulnerability scanning procedures that can demonstrate the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked).

(4) The organization attempts to discern what information about the information system is discoverable by adversaries.

(5) The organization includes privileged access authorization to [Assignment: organization-identified information system components] for selected vulnerability scanning activities to facilitate more thorough scanning.

(6) The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities.

(7) The organization employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials.

(8) The organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited.

(9) The organization employs an independent penetration agent or penetration team to:
(a) Conduct a vulnerability analysis on the information system; and
(b) Perform penetration testing on the information system based on the vulnerability analysis to determine the exploitability of identified vulnerabilities.
Enhancement Supplemental Guidance: A standard method for penetration testing includes: (i) pre-test analysis based on full knowledge of the target information system; (ii) pre-test identification of potential vulnerabilities based on pre-test analysis; and (iii) testing designed to determine exploitability of identified vulnerabilities. Detailed rules of engagement are agreed upon by all parties before the commencement of any penetration testing scenario.

mapping to FIPS199 baseline:

  LOW: null     MOD: base (1)     HIGH: base (1) (2) (3) (4) (5) (7)  

related (regimented) controls:

CA-02   Security Assessments
CM-06   Configuration Settings
SI-02   Flaw Remediation

documents referenced in SP800-53rev3 for RA-05:

Document Date Status Title
NIST SP800-115 September, 2008 current   Technical Guide to Information Security Testing and Assessment
NIST SP800-24 August, 2000 current   PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does
NIST SP800-36 October, 2003 current   Guide to Selecting Information Technology Security Products
NIST SP800-37 Feb, 2010 current   Guide for the Security Certification and Accreditation of Federal Information Systems
NIST SP800-40 November, 2005 current   Creating a Patch and Vulnerability Management Program
NIST SP800-44 September 2002 current   Guidelines on Securing Public Web Servers
NIST SP800-45 August, 2006 DRAFT   Guidelines on Electronic Mail Security
NIST SP800-46 June, 2009 current   Guide to Enterprise Telework and Remote Access Security
NIST SP800-51 September, 2002 current   Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme
NIST SP800-82 June, 2011 current   Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security
NIST SP800-83 September, 2006 current   Guide to Malware Incident Prevention and Handling

Search SP800-53rev3 catalog: