>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

RA-5(2)Vulnerability Monitoring and Scanning | Update Vulnerabilities to Be Scanned

IL4 Mod
IL4 High
IL5
IL6

>Control Description

Update the system vulnerabilities to be scanned [Selection (one or more): organization-defined frequency; prior to a new scan; when new vulnerabilities are identified and reported].

>DoD Impact Level Requirements

FedRAMP Parameter Values

RA-5 (2) [within 24 hours prior to running scans]

>Discussion

Due to the complexity of modern software, systems, and other factors, new vulnerabilities are discovered on a regular basis. It is important that newly discovered vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the organization can take steps to mitigate those vulnerabilities in a timely manner.

>Programmatic Queries

Beta

Related Services

Amazon Inspector
AWS Systems Manager Patch Manager
AWS Security Hub

CLI Commands

Enable Amazon Inspector for vulnerability scanning
aws inspector enable --resource-types ec2 ecr lambda
Create patch baseline with latest CVE data
aws ssm create-patch-baseline --operating-system AMAZON_LINUX_2 --name latest-vulnerabilities --approval-rules PatchRules=[{PatchFilterGroup={PatchFilters=[{Key=CLASSIFICATION,Values=[Security]},{Key=SEVERITY,Values=[Critical,High]}]},ApproveAfterDays=0}]
Get latest vulnerability findings
aws inspector list-findings --filter resource-type=EC2_INSTANCE --sort-by SEVERITY
Update patch compliance scan schedule
aws ssm describe-patch-baselines --filters Key=OWNER,Values=Self
Open AWS ConsoleDocumentation

>Related Controls

SI-5

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What is your organization's documented risk assessment policy and how does it address the requirements of RA-5(2)?
  • Who has been designated as responsible for conducting and maintaining risk assessments?
  • How frequently are risk assessments conducted and what triggers an update to the risk assessment?

Technical Implementation:

  • What methodology or framework do you use to conduct risk assessments?
  • How do you identify and categorize threats and vulnerabilities during the risk assessment process?
  • What tools or systems support your risk assessment activities?
  • What vulnerability scanning tools are used and how often are scans performed?

Evidence & Documentation:

  • Can you provide the most recent risk assessment report?
  • What evidence demonstrates that risk assessment findings are communicated to appropriate stakeholders?
  • Where are risk assessment results documented and how long are they retained?
  • Can you provide recent vulnerability scan reports and evidence of remediation?

Ask AI

Configure your API key to use AI features.