RA-5 Vulnerability Scanning (L)(M)(H)

NIST 800-53 (r4) Control:

The organization:

a. Scans for vulnerabilities in the information system and hosted applications [FedRAMP Assignment: (L)(M)(H) monthly operating system/infrastructure; monthly web applications and databases] and when new vulnerabilities potentially affecting the system/applications are identified and reported;

b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:

1. Enumerating platforms, software flaws, and improper configurations;

2. Formatting checklists and test procedures; and

3. Measuring vulnerability impact;

c. Analyzes vulnerability scan reports and results from security control assessments;

d. Remediates legitimate vulnerabilities [FedRAMP Assignment: (L)(M)(H) high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery], in accordance with an organizational assessment of risk; and

e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).

NIST 800-53 (r4) Supplemental Guidance:

Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). Related controls: CA-2, CA-7, CM-4, CM-6, RA-2, RA-3, SA-11, SI-2.

References: NIST Special Publications 800-40, 800-70, 800-115; Web: http://cwe.mitre.org, http://nvd.nist.gov.

NIST 800-53 (r5) Discussion:

Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities—such as infrastructure components (e.g., switches, routers, guards, sensors), networked printers, scanners, and copiers—are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced and as new scanning methods are developed helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers.

Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP)-validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).

Vulnerability monitoring includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation.

Organizations may also employ the use of financial incentives (also known as bug bounties) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points.

38North Guidance:

Meets Minimum Requirement:

• Implement a vulnerability scanning program that conducts monthly vulnerability scanning of all operating system/infrastructure, web applications and databases within the FedRAMP environment.

• Ensure that the latest FedRAMP scanning requirements is followed for vulnerability scanning by searching for Vulnerability Scanning Requirements from https://www.fedramp.gov/documents-templates/.

• Ensure that designated personnel are responsible for conducting the scans, analyzing scan results, and they provide the results of the scans to authorized personnel.

• Ensure that credentialed scans are conducted on all components within the FedRAMP environment.

• Ensure vulnerability scanning tools are kept up to date with the latest plugins to ensure that all current vulnerabilities are being detected on all system components.

• Vulnerabilities need to be remediated according to FedRAMP timeframes. High Vulnerabilities need to be remediated within 30 days from the date of discovery. Medium Vulnerabilities need to be remediated within 90 days from the date of discovery. Low Vulnerabilities need to be remediated within 180 days from the date of discovery.

• Disseminate scan results to include all Authorizing Officials and for JAB authorization to include FedRAMP.

• Document remediation efforts that demonstrates how quickly fixes/patches are applied including remediation scans demonstrating the vulnerability no longer applies.

• Vulnerabilities not able to be immediately remediated are placed on the Plan of Actions & Milestones tracking the remediation process. The latest templates are located here: https://www.fedramp.gov/documents-templates/.

• Vulnerability Deviation Requests Forms are utilized to document vulnerabilities unable to be remediated by using the latest request form: https://www.fedramp.gov/documents-templates/.

Best Practice:

• The vulnerability scanning tools should use Common Vulnerabilities and Exposures (CVE) naming convention and use the Open Vulnerability Assessment Language (OVAL).

• Ensure that any privileged or administrator credentials that are utilized for scanning are only accessible to authorized personnel & that they are stored in an encrypted secrets manager that is changed when personnel leave that job or are terminated.

• Qualys guide for scanning workspaces: https://success.qualys.com/discussions/s/article/000006698

• FedRAMP CSP Timeliness and Accuracy of Testing Requirements, Version 3.0, 12/11/2020  https://www.fedramp.gov/assets/resources/documents/CSP_Timeliness_and_Accuracy_of_Testing_Requirements.pdf

Unofficial FedRAMP Guidance:

• BOD 22-01: https://www.cisa.gov/binding-operational-directive-22-01; FedRAMP BOD Guidance: https://www.fedramp.gov/2022-03-08-fedramp-bod-22-01-guidance/; Fortreum article: https://www.linkedin.com/pulse/cisa-kev-fedramp-what-you-need-know-benjamin-scudera/?trackingId=cf4hFeNq6N0GJtil3PdZmQ%3D%3D

  1. • • Main take-away: Exploited vulnerabilities with significant risk are required to remediate within 6 months for vulnerabilities with a CVE ID assigned prior to 2021 and within two weeks for all other vulnerabilities. This is a substantial departure from monthly check-ins for ConMon. Likely need mid-month scans targeting only vulnerabilities with applicable KEV entries will allow for consistent validation of the two-week timeframe.

Assessment Evidence:

• Scan results including remediation & credentialed scans.

• Tickets that demonstrate remediation efforts.

• Email or ticket communication of scan results disseminated to organizational defined authorized personnel.

CSP Implementation Tips:

• Container scanners that are being accepted by FedRAMP for use: Qualys, Twistlock, Anchore Grype, AquaSec (currently undergoing FedRAMP authorization as of Jan 2023), Jfrog and Sysdig don't meet all the container scanning requirements but are acceptable.

• Amazon Web Services (AWS):

  • • AWS guidance for updating workspaces: https://docs.aws.amazon.com/workspaces/latest/adminguide/update-management.html

• Microsoft Azure: TBD

• Google Cloud Platform: TBD