Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited.
RA-5 (8) Additional FedRAMP Requirements and Guidance: This enhancement is required for all high vulnerability scan findings.
RA-5 (8) Additional FedRAMP Requirements and Guidance: While scanning tools may label findings as high or critical, the intent of the control is based around NIST's definition of high vulnerability.
NIST 800-53 (r4) Supplemental Guidance:
Related control: AU-6.
NIST 800-53 (r5) Discussion:
Reviewing historic audit logs to determine if a recently detected vulnerability in a system has been previously exploited by an adversary can provide important information for forensic analyses. Such analyses can help identify, for example, the extent of a previous intrusion, the trade craft employed during the attack, organizational information exfiltrated or modified, mission or business capabilities affected, and the duration of the attack.
38North Guidance:
Meets Minimum Requirement:
FedRAMP requires all high vulnerability scan findings to be reviewed.
Compare current scan results from previous scans and have the vulnerability management team review those results including reviewing historic audit logs to see if the FedRAMP environment has been exploited by adversaries.
Best Practice:
Routinely, the vulnerability management team should review the vulnerability scan results after each of the scans for the environment have been completed.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Screen shots of the vulnerability management team analyzing vulnerability scanning including review of historic audit logs.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse