SR-11(3)

SR-11(3): Anti-counterfeit Scanning

Scan for counterfeit system components [the frequency at which to scan for counterfeit system components is defined;].

The type of component determines the type of scanning to be conducted (e.g., web application scanning if the component is a web application).

Overlays
DAF Baseline

CSF Categories
None

The controls below (if any) were marked by NIST as being related to SR-11(3).

Control	Description
RA-5	a: Monitor and scan for vulnerabilities in the system and hosted applications [one of ] and when new vulnerabilities potentially affecting the system are identified and reported; b: Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1: Enumerating platforms, software flaws, and improper configurations; 2: Formatting checklists and test procedures; and 3: Measuring vulnerability impact; c: Analyze vulnerability scan reports and results from vulnerability monitoring; d: Remediate legitimate vulnerabilities [response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined;] in accordance with an organizational assessment of risk; e: Share information obtained from the vulnerability monitoring process and control assessments with [personnel or roles with whom information obtained from the vulnerability scanning process and control assessments is to be shared;] to help eliminate similar vulnerabilities in other systems; and f: Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.

Control

Description

a: Monitor and scan for vulnerabilities in the system and hosted applications [one of ] and when new vulnerabilities potentially affecting the system are identified and reported;

b: Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
- 1: Enumerating platforms, software flaws, and improper configurations;
- 2: Formatting checklists and test procedures; and
- 3: Measuring vulnerability impact;

c: Analyze vulnerability scan reports and results from vulnerability monitoring;

d: Remediate legitimate vulnerabilities [response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined;] in accordance with an organizational assessment of risk;

e: Share information obtained from the vulnerability monitoring process and control assessments with [personnel or roles with whom information obtained from the vulnerability scanning process and control assessments is to be shared;] to help eliminate similar vulnerabilities in other systems; and

f: Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.

The controls below (if any) add on to the requirements of SR-11(3).

Control	Description
No controls

The CCIs below are tied to SR-11(3).

CCI	Definition
CCI-005142	Scan for counterfeit system components on an organization-defined frequency.
CCI-005143	Defines the frequency for which the counterfeit system components are scanned.