Guidance for NIST 800-171 Assessment & Compliance
Applicable (Y)es / (N)o |
(C)onfidentiality |
(I)ntegrity |
(A)vailability |
RPN (C+I+A) |
(S)atisfactory |
||||||
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
(O)ther than satisfactory +## |
||
|
|
|
|
|
|
|
|
|
|
|
|
###
ra-5 |
vulnerability scanning |
|||
|
assessment objective: Determine if the organization: |
|||
ra-5(a) |
ra-5(a)[1] |
ra-5(a)[1][a] |
defines the frequency for conducting vulnerability scans on the information system and hosted applications; and/or |
|
ra-5(a)[1][b] |
defines the process for conducting random vulnerability scans on the information system and hosted applications; |
|||
ra-5(a)[2] |
in accordance with the organization-defined frequency and/or organization-defined process for conducting random scans, scans for vulnerabilities in: |
|||
ra-5(a)[2][a] |
the information system; |
|||
ra-5(a)[2][b] |
hosted applications; |
|||
ra-5(a)[3] |
when new vulnerabilities potentially affecting the system/applications are identified and reported, scans for vulnerabilities in: |
|||
ra-5(a)[3][a] |
the information system; |
|||
ra-5(a)[3][b] |
hosted applications; |
|||
ra-5(b) |
employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: |
|||
ra-5(b)(1) |
ra-5(b)(1)[1] |
enumerating platforms; |
||
ra-5(b)(1)[2] |
enumerating software flaws; |
|||
ra-5(b)(1)[3] |
enumerating improper configurations; |
|||
ra-5(b)(2) |
ra-5(b)(2)[1] |
formatting checklists; |
||
ra-5(b)(2)[2] |
formatting test procedures; |
|||
ra-5(b)(3) |
measuring vulnerability impact; |
|||
ra-5(c) |
ra-5(c)[1] |
analyzes vulnerability scan reports; |
||
ra-5(c)[2] |
analyzes results from security control assessments; |
|||
ra-5(d) |
ra-5(d)[1] |
defines response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk; |
||
ra-5(d)[2] |
remediates legitimate vulnerabilities within the organization-defined response times in accordance with an organizational assessment of risk; |
|||
ra-5(e) |
ra-5(e)[1] |
defines personnel or roles with whom information obtained from the vulnerability scanning process and security control assessments is to be shared; |
||
ra-5(e)[2] |
shares information obtained from the vulnerability scanning process with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies); and |
|||
ra-5(e)[3] |
shares information obtained from security control assessments with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). |
|||
potential assessment methods and objects: Examine: [select from: Risk assessment policy; procedures addressing vulnerability scanning; risk assessment; security plan; security assessment report; vulnerability scanning tools and associated configuration documentation; vulnerability scanning results; patch and vulnerability management records; other relevant documents or records]. Interview: [select from: Organizational personnel with risk assessment, security control assessment and vulnerability scanning responsibilities; organizational personnel with vulnerability scan analysis responsibilities; organizational personnel with vulnerability remediation responsibilities; organizational personnel with information security responsibilities; system/network administrators]. Test: [select from: Organizational processes for vulnerability scanning, analysis, remediation, and information sharing; automated mechanisms supporting and/or implementing vulnerability scanning, analysis, remediation, and information sharing]. |
||||
