CCI-001062

The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned.

Implementation Guidance

The organization being inspected/assessed will employ scanning tools that maintain currency with industry standard information system vulnerabilities to ensure that scanning activities are conducted with the most up to date list of known vulnerabilities to include USCYBERCOM issued IAVMs. DoD has provided an enterprise scanning tool that fully meets this requirement. Organizations that choose not to use the enterprise scanning tool must identify which scanning tool they are using and ensure that it meets these requirements.

Validation Procedures

The organization conducting the inspection/assessment will: 1. If the inspected organization is using the DoD provided enterprise scanning tool, compliance with this control is complete. 2. Validate the identified tool in use by the inspected organization is able to maintain current up to date information system vulnerability data.

Compelling Evidence

1.) Documentation that scanning tool being used can be updated.

The controls below (if any) were marked by NIST as being related to CCI-001062.