SA-15(7)

SA-15(7): Automated Vulnerability Analysis

The organization requires the developer of the information system, system component, or information system service to:

(a): Perform an automated vulnerability analysis using [organization-defined tools];

(d): Deliver the outputs of the tools and results of the analysis to [organization-defined personnel or roles].

Overlays
None

CSF Categories
None

The controls below (if any) were marked by NIST as being related to SA-15(7).

Control	Description
RA-5	The organization: a: Scans for vulnerabilities in the information system and hosted applications [organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported; b: Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1: Enumerating platforms, software flaws, and improper configurations; 2: Formatting checklists and test procedures; and 3: Measuring vulnerability impact; c: Analyzes vulnerability scan reports and results from security control assessments; d: Remediates legitimate vulnerabilities [organization-defined response times] in accordance with an organizational assessment of risk; and e: Shares information obtained from the vulnerability scanning process and security control assessments with [organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).

Control

Description

a: Scans for vulnerabilities in the information system and hosted applications [organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;

b: Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
- 1: Enumerating platforms, software flaws, and improper configurations;
- 2: Formatting checklists and test procedures; and
- 3: Measuring vulnerability impact;

c: Analyzes vulnerability scan reports and results from security control assessments;

d: Remediates legitimate vulnerabilities [organization-defined response times] in accordance with an organizational assessment of risk; and

e: Shares information obtained from the vulnerability scanning process and security control assessments with [organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).

The controls below (if any) add on to the requirements of SA-15(7).

Control	Description
No controls

The CCIs below are tied to SA-15(7).

CCI	Definition
CCI-003275	Require the developer of the system, system component, or system services, on an organization-defined frequency, to perform an automated vulnerability analysis using organization-defined tools.
CCI-003276	Defines the tools the developer of the system, system component, or system services uses to perform an automated vulnerability analysis.
CCI-003277	Require the developer of the system, system component, or system services, on an organization-defined frequency, to determine the exploitation potential for discovered vulnerabilities.
CCI-003278	Require the developer of the system, system component, or system services, on an organization-defined frequency, to determine potential risk mitigations for delivered vulnerabilities.
CCI-003279	Require the developer of the system, system component, or system services, on an organization-defined frequency, to deliver the outputs of the tools and results of the vulnerability analysis to organization-defined personnel or roles.
CCI-003280	Defines the personnel or roles to whom the outputs of the tools and results of the vulnerability analysis are delivered.