SA-15 (7)

SA-15 (7): Automated Vulnerability Analysis

The organization requires the developer of the information system, system component, or information system service to:

SA-15 (7)(a): Perform an automated vulnerability analysis using [Assignment: organization-defined tools];

SA-15 (7)(b): Determine the exploitation potential for discovered vulnerabilities;

SA-15 (7)(c): Determine potential risk mitigations for delivered vulnerabilities; and

SA-15 (7)(d): Deliver the outputs of the tools and results of the analysis to [Assignment: organization-defined personnel or roles].

None

Overlays
None

The controls below (if any) were marked by NIST as being related to SA-15 (7).

Control	Description
RA-5	The organization: RA-5a.: Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported; RA-5b.: Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: RA-5b.1.: Enumerating platforms, software flaws, and improper configurations; RA-5b.2.: Formatting checklists and test procedures; and RA-5b.3.: Measuring vulnerability impact; RA-5c.: Analyzes vulnerability scan reports and results from security control assessments; RA-5d.: Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and RA-5e.: Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).

Control

Description

RA-5a.: Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;

RA-5b.: Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
- RA-5b.1.: Enumerating platforms, software flaws, and improper configurations;
- RA-5b.2.: Formatting checklists and test procedures; and
- RA-5b.3.: Measuring vulnerability impact;

RA-5c.: Analyzes vulnerability scan reports and results from security control assessments;

RA-5d.: Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and

RA-5e.: Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).

The controls below (if any) add on to the requirements of SA-15 (7).

Control	Description
No controls

The CCIs below are tied to SA-15 (7).

CCI	Definition
CCI-003275	The organization requires the developer of the information system, system component, or information system services to perform an automated vulnerability analysis using organization-defined tools.
CCI-003276	The organization defines the tools the developer of the information system, system component, or information system services uses to perform an automated vulnerability analysis.
CCI-003277	The organization requires the developer of the information system, system component, or information system services to determine the exploitation potential for discovered vulnerabilities.
CCI-003278	The organization requires the developer of the information system, system component, or information system services to determine potential risk mitigations for delivered vulnerabilities.
CCI-003279	The organization requires the developer of the information system, system component, or information system services to deliver the outputs of the tools and results of the vulnerability analysis to organization-defined personnel or roles.
CCI-003280	The organization defines the personnel or roles to whom the outputs of the tools and results of the vulnerability analysis are delivered.