RA-5 (4) Vulnerability Scanning | Discoverable Information (H)

NIST 800-53 (r4) Control:

The organization determines what information about the information system is discoverable by adversaries and subsequently takes [FedRAMP Assignment: (H) notify appropriate service provider personnel and follow procedures for organization and service provider-defined corrective actions].

NIST 800-53 (r4) Supplemental Guidance:

Discoverable information includes information that adversaries could obtain without directly compromising or breaching the information system, for example, by collecting information the system is exposing or by conducting extensive searches of the web. Corrective actions can include, for example, notifying appropriate organizational personnel, removing designated information, or changing the information system to make designated information less relevant or attractive to adversaries. Related control: AU-13.

NIST 800-53 (r5) Discussion:

Discoverable information includes information that adversaries could obtain without compromising or breaching the system, such as by collecting information that the system is exposing or by conducting extensive web searches. Corrective actions include notifying appropriate organizational personnel, removing designated information, or changing the system to make the designated information less relevant or attractive to adversaries. This enhancement excludes intentionally discoverable information that may be part of a decoy capability (e.g., honeypots, honeynets, or deception nets) deployed by the organization.

38North Guidance:

Meets Minimum Requirement:

• Notify appropriate service provider personnel and follow procedures for organization and service provider-defined corrective actions.

Best Practice:

• Conduct penetration testing or network testing including things such as network mapping and port scanning.

• Utilize tools such as Nmap, Wireshark, Metasploit, and Nessus to determine what potential threats could be exploited by advisories.

Unofficial FedRAMP Guidance: None

Assessment Evidence:

• Internal & external 3PAO Pen Test results.

CSP Implementation Tips:

• Amazon Web Services (AWS): TBD

• Microsoft Azure: TBD

• Google Cloud Platform: TBD