Navigate

RA-5 (2)

RA-5 (2): Update By Frequency / Prior To New Scan / When Identified

The organization updates the information system vulnerabilities scanned [Selection (one or more): [Assignment: organization-defined frequency]; prior to a new scan; when new vulnerabilities are identified and reported].

Supplemental

None

CIA Levels
Confidentiality	low
Integrity	low
Availability	low

Overlays
None

Related Controls

The controls below (if any) were marked by NIST as being related to RA-5 (2).

Control	Description
SI-3	The organization: SI-3a.: Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code; SI-3b.: Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures; SI-3c.: Configures malicious code protection mechanisms to: SI-3c.1.: Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and SI-3c.2.: [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and SI-3d.: Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.
SI-5	The organization: SI-5a.: Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis; SI-5b.: Generates internal security alerts, advisories, and directives as deemed necessary; SI-5c.: Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and SI-5d.: Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.

Control

Description

SI-3

The organization:

SI-3a.: Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;

SI-3b.: Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;

SI-3c.: Configures malicious code protection mechanisms to:
- SI-3c.1.: Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and
- SI-3c.2.: [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and

SI-3d.: Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.

SI-5

The organization:

SI-5a.: Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis;

SI-5b.: Generates internal security alerts, advisories, and directives as deemed necessary;

SI-5c.: Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and

SI-5d.: Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.

Enhancements

The controls below (if any) add on to the requirements of RA-5 (2).

Control	Description
No controls

Related CCIs

The CCIs below are tied to RA-5 (2).

CCI	Definition
CCI-001063	The organization updates the information system vulnerabilities scanned on an organization-defined frequency, prior to a new scan, and/or when new vulnerabilities are identified and reported.
CCI-001064	The organization defines a frequency for updating the information system vulnerabilities scanned.