Guidance for NIST 800-171 Assessment & Compliance

RA-5(2) VULNERABILITY SCANNING | UPDATE BY FREQUENCY / PRIOR TO NEW SCAN / WHEN IDENTIFIED

Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

(O)ther than satisfactory +##

###

ra-5(2)	vulnerability scanning \| update by frequency / prior to new scan / when identified
	assessment objective: Determine if the organization:
	ra-5(2)[1]	defines the frequency to update the information system vulnerabilities scanned;
	ra-5(2)[2]	updates the information system vulnerabilities scanned one or more of the following:
		ra-5(2)[2][a]	with the organization-defined frequency;
		ra-5(2)[2][b]	prior to a new scan; and/or
		ra-5(2)[2][c]	when new vulnerabilities are identified and reported.
	potential assessment methods and objects: Examine: [select from: Procedures addressing vulnerability scanning; security plan; security assessment report; vulnerability scanning tools and associated configuration documentation; vulnerability scanning results; patch and vulnerability management records; other relevant documents or records]. Interview: [select from: Organizational personnel with vulnerability scanning responsibilities; organizational personnel with vulnerability scan analysis responsibilities; organizational personnel with information security responsibilities; system/network administrators]. Test: [select from: Organizational processes for vulnerability scanning; automated mechanisms/tools supporting and/or implementing vulnerability scanning].

Hosted by ABCI Consultants for Information Security Management Systems | Implementations, Training and Assessments for Compliance | (800) 644-2056