CCI-002906

The organization defines the vulnerability scanning activities in which the information system implements privileged access authorization to organization-identified information system components.

Implementation Guidance

The organization being inspected/assessed defines and documents the vulnerability scanning activities in which the information system implements privileged access authorization to organization-identified information system components. DoD has determined the vulnerability scanning activities are not appropriate to define at the Enterprise level.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented vulnerability scanning activities to ensure the organization being inspected/assessed defines the vulnerability scanning activities in which the information system implements privileged access authorization to organization-identified information system components. DoD has determined the vulnerability scanning activities are not appropriate to define at the Enterprise level.

Compelling Evidence

1.) System security plan (SSP). 2.) Reference to system security plan (SSP) section pertaining to the roles and responsibilities of vulnerability scanning.

The controls below (if any) were marked by NIST as being related to CCI-002906.