RA-5 (10) Vulnerability Scanning | Correlate Scanning Information (H)

This page is classified as INTERNAL.

NIST 800-53 (r4) Control:

The organization correlates the output from vulnerability scanning tools to determine the presence of multi-vulnerability/multi-hop attack vectors.

RA-5 (10) Additional FedRAMP Requirements and Guidance: If multiple tools are not used, this control is not applicable.

NIST 800-53 (r4) Supplemental Guidance:

None

NIST 800-53 (r5) Discussion:

An attack vector is a path or means by which an adversary can gain access to a system in order to deliver malicious code or exfiltrate information. Organizations can use attack trees to show how hostile activities by adversaries interact and combine to produce adverse impacts or negative consequences to systems and organizations. Such information, together with correlated data from vulnerability scanning tools, can provide greater clarity regarding multi-vulnerability and multi-hop attack vectors. The correlation of vulnerability scanning information is especially important when organizations are transitioning from older technologies to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols). During such transitions, some system components may inadvertently be unmanaged and create opportunities for adversary exploitation.

38North Guidance:

Meets Minimum Requirement:

Correlates the output from vulnerability scanning tools to determine the presence of multi-vulnerability/multi-hop attack vectors.
This control is only applicable if multiple scanning tools are utilized in the environment.

Best Practice:

Utilize scanning tools that help identify when multiple vulnerabilities provide attackers with a multi-hop attack vector (such as open ports facing the Internet and the vulnerabilities on an unpatched server within the FedRAMP environment).

Unofficial FedRAMP Guidance: None

Assessment Evidence:

Screen shots of vulnerability scanning results identifying unsafe protocols or other potential attack vectors that could potential expose the environment to adversaries.
Screen shots demonstrating the correlation of vulnerability scanning results between all vulnerability scanning tools.

CSP Implementation Tips:

Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD

Page updated

Report abuse