Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization employs automated mechanisms [FedRAMP Assignment: (M)(H) at least monthly] to determine the state of information system components with regard to flaw remediation.
NIST 800-53 (r4) Supplemental Guidance:
Related controls: CM-6, SI-4.
NIST 800-53 (r5) Discussion:
Automated mechanisms can track and determine the status of known flaws for system components.
38North Guidance:
Meets Minimum Requirement:
Deploy automated mechanisms (e.g. vulnerability scanner) to determine the state of information system components with regard to flaw remediation.
Best Practice:
While addressed in another control family (SA), code scanning should also be addressed here, as well as any systems used by the CSP for monitoring dependencies.
Unofficial FedRAMP Guidance:
FedRAMP has a bias in favor of pipeline-based solutions. So even when dev is out of scope, deploying flaw remediation tools upstream in the pipeline is a preferred approach and demonstrates maturity.
Assessment Evidence:
Automated mechanisms deployed (e.g. vulnerability scanner) to determine the state of information system components with regard to flaw remediation.
CSP Implementation Tips: None
Page updated
Report abuse