RA-5(4)—Vulnerability Monitoring and Scanning | Discoverable Information
>Control Description
>DoD Impact Level Requirements
FedRAMP Parameter Values
RA-5 (4) [notify appropriate service provider personnel and follow procedures for organization and service provider-defined corrective actions]
>Discussion
Discoverable information includes information that adversaries could obtain without compromising or breaching the system, such as by collecting information that the system is exposing or by conducting extensive web searches. Corrective actions include notifying appropriate organizational personnel, removing designated information, or changing the system to make the designated information less relevant or attractive to adversaries. This enhancement excludes intentionally discoverable information that may be part of a decoy capability (e.g., honeypots, honeynets, or deception nets) deployed by the organization.
>Related Controls
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What is your organization's documented risk assessment policy and how does it address the requirements of RA-5(4)?
- •Who has been designated as responsible for conducting and maintaining risk assessments?
- •How frequently are risk assessments conducted and what triggers an update to the risk assessment?
Technical Implementation:
- •What methodology or framework do you use to conduct risk assessments?
- •How do you identify and categorize threats and vulnerabilities during the risk assessment process?
- •What tools or systems support your risk assessment activities?
Evidence & Documentation:
- •Can you provide the most recent risk assessment report?
- •What evidence demonstrates that risk assessment findings are communicated to appropriate stakeholders?
- •Where are risk assessment results documented and how long are they retained?
Ask AI
Configure your API key to use AI features.