NIST 800-53 REV 5 • RISK ASSESSMENT

RA-5(2)Update Vulnerabilities to Be Scanned

Update the system vulnerabilities to be scanned {{ insert: param, ra-05.02_odp.01 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Due to the complexity of modern software, systems, and other factors, new vulnerabilities are discovered on a regular basis. It is important that newly discovered vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the organization can take steps to mitigate those vulnerabilities in a timely manner.

Practitioner Notes

The list of vulnerabilities you scan for must be updated to include newly discovered vulnerabilities. This means subscribing to CVE feeds and updating your scan profiles accordingly.

Example 1: Monitor the NIST National Vulnerability Database (NVD) and CISA's Known Exploited Vulnerabilities (KEV) catalog. When new vulnerabilities are added to the KEV catalog, verify that your scanner includes checks for them and run a targeted scan within 48 hours.

Example 2: Subscribe to vendor security advisory mailing lists (Microsoft Security Response Center, Cisco PSIRT, etc.) for all software in your environment. When a new advisory drops, verify your scanner has the corresponding check and update your scan configuration if needed.

More Risk Assessment Controls

RA-1 Policy and Procedures RA-2 Security Categorization RA-2(1) Impact-level Prioritization RA-3 Risk Assessment