CCI-004636

Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.

Implementation Guidance

Determine if vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed.

Validation Procedures

Examine: [SELECT FROM: Risk assessment policy; procedures addressing vulnerability scanning; risk assessment; assessment report; vulnerability scanning tools and associated configuration documentation; vulnerability scanning results; patch and vulnerability management records; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with risk assessment, control assessment, and vulnerability scanning responsibilities; organizational personnel with vulnerability scan analysis responsibilities; organizational personnel with vulnerability remediation responsibilities; organizational personnel with security responsibilities; system/network administrators]. Test: [SELECT FROM: Organizational processes for vulnerability scanning, analysis, remediation, and information sharing; mechanisms supporting and/or implementing vulnerability scanning, analysis, remediation, and information sharing].

The controls below (if any) were marked by NIST as being related to CCI-004636.