Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization employs vulnerability scanning procedures that can identify the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked).
NIST 800-53 (r4) Supplemental Guidance:
None
NIST 800-53 (r5) Discussion:
The breadth of vulnerability scanning coverage can be expressed as a percentage of components within the system, by the particular types of systems, by the criticality of systems, or by the number of vulnerabilities to be checked. Conversely, the depth of vulnerability scanning coverage can be expressed as the level of the system design that the organization intends to monitor (e.g., component, module, subsystem, element). Organizations can determine the sufficiency of vulnerability scanning coverage with regard to its risk tolerance and other factors. Scanning tools and how the tools are configured may affect the depth and coverage. Multiple scanning tools may be needed to achieve the desired depth and coverage. SP 800-53A provides additional information on the breadth and depth of coverage.
38North Guidance:
Meets Minimum Requirement:
Vulnerability scanning procedures identifying the breadth and depth of coverage of vulnerability scanning for the FedRAMP environment.
Best Practice:
Ensure that all system components within the production environment are scanned for vulnerabilities including credentialed scans.
Conduct host discovery scans semi-annually and compare against regularly configured scans to ensure all systems are being scanned.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Host discovery scan results compared to regularly configured scans.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse