ID.RA-08: Processes for receiving, analyzing, and responding to vulnerability disclosures are established


[ Note: Subcategories do not have detailed descriptions. However NIST has provided the following implementation examples.]

Implementation Examples

1st: 1st Party Risk

3rd: 3rd Party Risk

Ex1: Conduct vulnerability information sharing between the organization and its suppliers following the rules and protocols defined in contracts

Ex2: Assign responsibilities and verify the execution of procedures for processing, analyzing the impact of, and responding to cybersecurity threat, vulnerability, or incident disclosures by suppliers, customers, partners, and government cybersecurity organizations