03.11.02: Vulnerability Monitoring and Scanning

Control Familly: Risk Assessment

SPRS: N/A

Top Ten Failed Requirement: N/A

Supporting Publications:

  • SP 800-40 [56]

  • SP 800-53A [57]

  • SP 800-70 [44]

  • SP 800-115 [58]

  • SP 800-126 [45]

Referenced in: N/A

Control Type: N/A

CPCSC Level 2: 03.11.02

CMMC Level(s): N/A

Derived From: NIST SP 800-53r5

  • RA-05

  • RA-05(02)

a. Monitor and scan the system for vulnerabilities [Assignment: organization-defined frequency] and when new vulnerabilities affecting the system are identified.

b. Remediate system vulnerabilities within [Assignment: organization-defined response times].

c. Update system vulnerabilities to be scanned [Assignment: organization-defined frequency] and when new vulnerabilities are identified and reported.

Discussion:

Organizations determine the required vulnerability scanning for system components and ensure that potential sources of vulnerabilities (e.g., networked printers, scanners, and copiers) are not overlooked. Vulnerability analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, or binary analysis. Organizations can use these approaches in source code reviews and tools (e.g., static analysis tools, web-based application scanners, binary analyzers). Vulnerability scanning includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for improperly configured or incorrectly operating flow control mechanisms.

To facilitate interoperability, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention. Sources for vulnerability information also include the Common Weakness Enumeration (CWE) listing, the National Vulnerability Database (NVD), and the Common Vulnerability Scoring System (CVSS).

Assessment Methods and Objectives

Examine [SELECT FROM: risk assessment policy and procedures; procedures for vulnerability scanning; patch and vulnerability management records; vulnerability scanning tools and configuration documentation; vulnerability scanning results; risk assessment; risk assessment report; system security plan; other relevant documents or records]

Interview [SELECT FROM: personnel with risk assessment and vulnerability scanning responsibilities; personnel with vulnerability scan analysis responsibilities; personnel with vulnerability remediation responsibilities; personnel with information security responsibilities; system administrators]

Test [SELECT FROM: processes for vulnerability monitoring, scanning, analysis, and remediation; mechanisms for supporting or implementing vulnerability monitoring, scanning, analysis, and remediation]

NIST SP 800-171A r3 Determining Statements Determine if:

A.03.11.02.ODP[01]: the frequency at which the system is monitored for vulnerabilities is defined.

A.03.11.02.ODP[02]: the frequency at which the system is scanned for vulnerabilities is defined.

A.03.11.02.ODP[03]: response times to remediate system vulnerabilities are defined.

A.03.11.02.ODP[04]: the frequency at which to update system vulnerabilities to be scanned is defined.

A.03.11.02.a[01]: the system is monitored for vulnerabilities <A.03.11.02.ODP[01]: frequency>.

A.03.11.02.a[02]: the system is scanned for vulnerabilities <A.03.11.02.ODP[02]: frequency>.

A.03.11.02.a[03]: the system is monitored for vulnerabilities when new vulnerabilities that affect the system are identified.

A.03.11.02.a[04]: the system is scanned for vulnerabilities when new vulnerabilities that affect the system are identified.

A.03.11.02.b: system vulnerabilities are remediated within <A.03.11.02.ODP[03]: response times>.

A.03.11.02.c[01]: system vulnerabilities to be scanned are updated <A.03.11.02.ODP[04]: frequency>.

A.03.11.02.c[02]: system vulnerabilities to be scanned are updated when new vulnerabilities are identified and reported.