Navigate

CCI-001055

CCI-001055 Definition

Defines a frequency for scanning for vulnerabilities in the system and hosted applications, and/or randomly in accordance with organization-defined process.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if: - systems and hosted applications are monitored for vulnerabilities [RA-05_ODP[01]; frequency for monitoring systems and hosted applications for vulnerabilities is defined] and when new vulnerabilities potentially affecting the system are identified and reported. - systems and hosted applications are scanned for vulnerabilities [RA-05_ODP[02]; frequency for scanning systems and hosted applications for vulnerabilities is defined] and when new vulnerabilities potentially affecting the system are identified and reported.

Validation Procedures

Examine: [SELECT FROM: Risk assessment policy; procedures addressing vulnerability scanning; risk assessment; assessment report; vulnerability scanning tools and associated configuration documentation; vulnerability scanning results; patch and vulnerability management records; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with risk assessment, control assessment, and vulnerability scanning responsibilities; organizational personnel with vulnerability scan analysis responsibilities; organizational personnel with vulnerability remediation responsibilities; organizational personnel with security responsibilities; system/network administrators]. Test: [SELECT FROM: Organizational processes for vulnerability scanning, analysis, remediation, and information sharing; mechanisms supporting and/or implementing vulnerability scanning, analysis, remediation, and information sharing].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-001055.

Control	Description
RA-5	a: Monitor and scan for vulnerabilities in the system and hosted applications [one of ] and when new vulnerabilities potentially affecting the system are identified and reported; b: Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1: Enumerating platforms, software flaws, and improper configurations; 2: Formatting checklists and test procedures; and 3: Measuring vulnerability impact; c: Analyze vulnerability scan reports and results from vulnerability monitoring; d: Remediate legitimate vulnerabilities [response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined;] in accordance with an organizational assessment of risk; e: Share information obtained from the vulnerability monitoring process and control assessments with [personnel or roles with whom information obtained from the vulnerability scanning process and control assessments is to be shared;] to help eliminate similar vulnerabilities in other systems; and f: Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.

Control

Description

RA-5

a: Monitor and scan for vulnerabilities in the system and hosted applications [one of ] and when new vulnerabilities potentially affecting the system are identified and reported;

b: Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
- 1: Enumerating platforms, software flaws, and improper configurations;
- 2: Formatting checklists and test procedures; and
- 3: Measuring vulnerability impact;

c: Analyze vulnerability scan reports and results from vulnerability monitoring;

d: Remediate legitimate vulnerabilities [response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined;] in accordance with an organizational assessment of risk;

e: Share information obtained from the vulnerability monitoring process and control assessments with [personnel or roles with whom information obtained from the vulnerability scanning process and control assessments is to be shared;] to help eliminate similar vulnerabilities in other systems; and

f: Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.