Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities.
RA-5 (6) Additional FedRAMP Requirements and Guidance: include in Continuous Monitoring ISSO digest/report to JAB/AO
NIST 800-53 (r4) Supplemental Guidance:
Related controls: IR-4, IR-5, SI-4.
NIST 800-53 (r5) Discussion:
Using automated mechanisms to analyze multiple vulnerability scans over time can help determine trends in system vulnerabilities and identify patterns of attack.
38North Guidance:
Meets Minimum Requirement:
FedRAMP guidance requirement is to include in Continuous Monitoring ISSO digest/report to JAB/AO.
Vulnerability scanning tools are required to save the results of the scan and have automated trend analysis be conducted by the results from current and previous scans.
Best Practice:
Compare scan results from previous scans and have the vulnerability management team analyze the scans to look for trends in vulnerabilities that are affecting the FedRAMP environment.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Screen shots of evidence of vulnerability scanning automated trend analysis being conducted.
Screen shot evidence of vulnerability scan results being saved and retained.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse