Navigate

CCI-001061

CCI-001061 Definition

The organization shares information obtained from the vulnerability scanning process and security control assessments with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed documents and implements a process to share information obtained from the vulnerability scanning process and security control assessments with at a minimum, the ISSM and ISSO to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). DoD has defined the personnel or roles as at a minimum, the ISSO and ISSM.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed shares information obtained from the vulnerability scanning process and security control assessments with at a minimum, the ISSM and ISSO to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). DoD has defined the personnel or roles as at a minimum, the ISSO and ISSM.

Compelling Evidence

1.) System security plan (SSP). 2.) Reference to system security plan (SSP) section pertaining to vulnerability scanning procedure. Reference section pertaining to a procedure for disseminating relevant information to the ISSM, ISSO, AO, and PM etc.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-001061.

Control	Description
RA-5	The organization: RA-5a.: Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported; RA-5b.: Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: RA-5b.1.: Enumerating platforms, software flaws, and improper configurations; RA-5b.2.: Formatting checklists and test procedures; and RA-5b.3.: Measuring vulnerability impact; RA-5c.: Analyzes vulnerability scan reports and results from security control assessments; RA-5d.: Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and RA-5e.: Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).

Control

Description

RA-5

The organization:

RA-5a.: Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;

RA-5b.: Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
- RA-5b.1.: Enumerating platforms, software flaws, and improper configurations;
- RA-5b.2.: Formatting checklists and test procedures; and
- RA-5b.3.: Measuring vulnerability impact;

RA-5c.: Analyzes vulnerability scan reports and results from security control assessments;

RA-5d.: Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and

RA-5e.: Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).