SA-15(7): Automated Vulnerability Analysis

Control Family:

System and Services Acquisition

Parent Control:

SA-15: Development Process, Standards, and Tools

CSF v1.1 References:

ID.SC-2

Baselines:

(Not part of any baseline)

Previous Version:

NIST Special Publication 800-53 Revision 4:
SA-15(7): Automated Vulnerability Analysis

Control Statement

Require the developer of the system, system component, or system service [Assignment: organization-defined frequency] to:

Perform an automated vulnerability analysis using [Assignment: organization-defined tools];
Determine the exploitation potential for discovered vulnerabilities;
Determine potential risk mitigations for delivered vulnerabilities; and
Deliver the outputs of the tools and results of the analysis to [Assignment: organization-defined personnel or roles].

Supplemental Guidance

Automated tools can be more effective at analyzing exploitable weaknesses or deficiencies in large and complex systems, prioritizing vulnerabilities by severity, and providing recommendations for risk mitigations.

Control Statement

Supplemental Guidance

Related Controls

NIST Special Publication 800-53 Revision 5