Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization updates the information system vulnerabilities scanned [FedRAMP Selection (one or more): [Assignment: organization-defined frequency]; (M)(H) prior to a new scan; when new vulnerabilities are identified and reported].
NIST 800-53 (r4) Supplemental Guidance:
Related controls: SI-3, SI-5.
NIST 800-53 (r5) Discussion:
Due to the complexity of modern software, systems, and other factors, new vulnerabilities are discovered on a regular basis. It is important that newly discovered vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the organization can take steps to mitigate those vulnerabilities in a timely manner.
38North Guidance:
Meets Minimum Requirement:
Vulnerability scanning tools are updated within the organized-defined frequency, prior to a new scan, or when new vulnerabilities are identified & reported.
Best Practice:
Vulnerability scanning tools are configured to update automatically, when applicable, depending on the ability of the tool.
Ensure that all vulnerability scanning tools are kept current with the latest plugins & updates to make sure tool has latest updates to vulnerability scanner rulesets
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Screen shots that demonstrate vulnerability scanning tools are operating at the latest versions/plugins.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse