SA-15(7): Automated Vulnerability Analysis

CSF v1.1 References:


(Not part of any baseline)

Next Version:

Control Statement

The organization requires the developer of the information system, system component, or information system service to:

  1. Perform an automated vulnerability analysis using [Assignment: organization-defined tools];
  2. Determine the exploitation potential for discovered vulnerabilities;
  3. Determine potential risk mitigations for delivered vulnerabilities; and
  4. Deliver the outputs of the tools and results of the analysis to [Assignment: organization-defined personnel or roles].