>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

RA-5(11)Vulnerability Monitoring and Scanning | Public Disclosure Program

IL4 Mod
IL4 High
IL5
IL6

>Control Description

Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components.

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

The reporting channel is publicly discoverable and contains clear language authorizing good-faith research and the disclosure of vulnerabilities to the organization. The organization does not condition its authorization on an expectation of indefinite non-disclosure to the public by the reporting entity but may request a specific time period to properly remediate the vulnerability.

>Programmatic Queries

Beta

Related Services

AWS Security Hub
AWS Marketplace
AWS SNS

CLI Commands

Create publicly shared vulnerability findings
aws securityhub batch-import-findings --findings file://public-disclosure-findings.json --make-public
Enable Security Hub public insights
aws securityhub enable-organization-admin-account --admin-account-id 123456789012
Create SNS topic for public disclosure notifications
aws sns create-topic --name vulnerability-public-disclosure --attributes DisplayName='Vulnerability Public Disclosure'
Subscribe security researchers to disclosure topic
aws sns subscribe --topic-arn arn:aws:sns:us-east-1:123456789012:vulnerability-public-disclosure --protocol email --notification-endpoint researcher@example.com
Open AWS ConsoleDocumentation

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What is your organization's documented risk assessment policy and how does it address the requirements of RA-5(11)?
  • Who has been designated as responsible for conducting and maintaining risk assessments?
  • How frequently are risk assessments conducted and what triggers an update to the risk assessment?

Technical Implementation:

  • What methodology or framework do you use to conduct risk assessments?
  • How do you identify and categorize threats and vulnerabilities during the risk assessment process?
  • What tools or systems support your risk assessment activities?
  • What vulnerability scanning tools are used and how often are scans performed?

Evidence & Documentation:

  • Can you provide the most recent risk assessment report?
  • What evidence demonstrates that risk assessment findings are communicated to appropriate stakeholders?
  • Where are risk assessment results documented and how long are they retained?
  • Can you provide recent vulnerability scan reports and evidence of remediation?

Ask AI

Configure your API key to use AI features.