SA-15(7): Automated Vulnerability Analysis
CSF v1.1 References:
(Not part of any baseline)
- NIST Special Publication 800-53 Revision 4:
- SA-15(7): Automated Vulnerability Analysis
Require the developer of the system, system component, or system service [Assignment: organization-defined frequency] to:
- Perform an automated vulnerability analysis using [Assignment: organization-defined tools];
- Determine the exploitation potential for discovered vulnerabilities;
- Determine potential risk mitigations for delivered vulnerabilities; and
- Deliver the outputs of the tools and results of the analysis to [Assignment: organization-defined personnel or roles].
Automated tools can be more effective at analyzing exploitable weaknesses or deficiencies in large and complex systems, prioritizing vulnerabilities by severity, and providing recommendations for risk mitigations.