Navigate

SA-15(7)

SA-15(7): Automated Vulnerability Analysis

Require the developer of the system, system component, or system service [frequency at which to conduct vulnerability analysis is defined;] to:

(a): Perform an automated vulnerability analysis using [tools used to perform automated vulnerability analysis are defined;];

(b): Determine the exploitation potential for discovered vulnerabilities;

(c): Determine potential risk mitigations for delivered vulnerabilities; and

(d): Deliver the outputs of the tools and results of the analysis to [personnel or roles to whom the outputs of tools and results of the analysis are to be delivered is/are defined;].

Supplemental

Automated tools can be more effective at analyzing exploitable weaknesses or deficiencies in large and complex systems, prioritizing vulnerabilities by severity, and providing recommendations for risk mitigations.

CIA Levels
Confidentiality	unknown
Integrity	high
Availability	unknown

Overlays
DAF Baseline

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to SA-15(7).

Control	Description
RA-5	a: Monitor and scan for vulnerabilities in the system and hosted applications [one of ] and when new vulnerabilities potentially affecting the system are identified and reported; b: Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1: Enumerating platforms, software flaws, and improper configurations; 2: Formatting checklists and test procedures; and 3: Measuring vulnerability impact; c: Analyze vulnerability scan reports and results from vulnerability monitoring; d: Remediate legitimate vulnerabilities [response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined;] in accordance with an organizational assessment of risk; e: Share information obtained from the vulnerability monitoring process and control assessments with [personnel or roles with whom information obtained from the vulnerability scanning process and control assessments is to be shared;] to help eliminate similar vulnerabilities in other systems; and f: Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.
SA-11	Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: a: Develop and implement a plan for ongoing security and privacy control assessments; b: Perform [one or more of "unit"/"integration"/"system"/"regression"] testing/evaluation [frequency at which to conduct {{ insert: param, sa-11_odp.01 }} testing/evaluation is defined;] at [depth and coverage of {{ insert: param, sa-11_odp.01 }} testing/evaluation is defined;]; c: Produce evidence of the execution of the assessment plan and the results of the testing and evaluation; d: Implement a verifiable flaw remediation process; and e: Correct flaws identified during testing and evaluation.

Control

Description

RA-5

a: Monitor and scan for vulnerabilities in the system and hosted applications [one of ] and when new vulnerabilities potentially affecting the system are identified and reported;

b: Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
- 1: Enumerating platforms, software flaws, and improper configurations;
- 2: Formatting checklists and test procedures; and
- 3: Measuring vulnerability impact;

c: Analyze vulnerability scan reports and results from vulnerability monitoring;

d: Remediate legitimate vulnerabilities [response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined;] in accordance with an organizational assessment of risk;

e: Share information obtained from the vulnerability monitoring process and control assessments with [personnel or roles with whom information obtained from the vulnerability scanning process and control assessments is to be shared;] to help eliminate similar vulnerabilities in other systems; and

f: Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.

SA-11

Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to:

a: Develop and implement a plan for ongoing security and privacy control assessments;

b: Perform [one or more of "unit"/"integration"/"system"/"regression"] testing/evaluation [frequency at which to conduct {{ insert: param, sa-11_odp.01 }} testing/evaluation is defined;] at [depth and coverage of {{ insert: param, sa-11_odp.01 }} testing/evaluation is defined;];

c: Produce evidence of the execution of the assessment plan and the results of the testing and evaluation;

d: Implement a verifiable flaw remediation process; and

e: Correct flaws identified during testing and evaluation.

Enhancements

The controls below (if any) add on to the requirements of SA-15(7).

Control	Description
No controls

Related CCIs

The CCIs below are tied to SA-15(7).

CCI	Definition
CCI-003275	Require the developer of the system, system component, or system services, on an organization-defined frequency, to perform an automated vulnerability analysis using organization-defined tools.
CCI-003276	Defines the tools the developer of the system, system component, or system services uses to perform an automated vulnerability analysis.
CCI-003277	Require the developer of the system, system component, or system services, on an organization-defined frequency, to determine the exploitation potential for discovered vulnerabilities.
CCI-003278	Require the developer of the system, system component, or system services, on an organization-defined frequency, to determine potential risk mitigations for delivered vulnerabilities.
CCI-003279	Require the developer of the system, system component, or system services, on an organization-defined frequency, to deliver the outputs of the tools and results of the vulnerability analysis to organization-defined personnel or roles.
CCI-003280	Defines the personnel or roles to whom the outputs of the tools and results of the vulnerability analysis are delivered.
CCI-004827	Defines the frequency for performing an automated vulnerability analysis using organization-defined tools.
CCI-004828	Defines the frequency for determining the exploitation potential for discovered vulnerabilities.
CCI-004829	Defines the frequency for determining potential risk mitigations for delivered vulnerabilities.
CCI-004830	Defines the frequency for delivering the outputs of the tools and results of the vulnerability analysis to organization-defined personnel or roles.