ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded

Previous Version:


[ Note: Subcategories do not have detailed descriptions. However NIST has provided the following implementation examples.]

Implementation Examples

1st: 1st Party Risk

Ex1: Use vulnerability management technologies to identify unpatched and misconfigured software

Ex2: Assess network and system architectures for design and implementation weaknesses that affect cybersecurity

Ex3: Review, analyze, or test organization-developed software to identify design, coding, and default configuration vulnerabilities

Ex4: Assess facilities that house critical computing assets for physical vulnerabilities and resilience issues

Ex5: Monitor sources of cyber threat intelligence for information on new vulnerabilities in products and services

Ex6: Review processes and procedures for weaknesses that could be exploited to affect cybersecurity