>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

RA-5 (03)Vulnerability Monitoring and Scanning | Breadth and Depth of Coverage

Moderate
High

>Control Description

Define the breadth and depth of vulnerability scanning coverage.

>FedRAMP Baseline Requirements

No FedRAMP-specific parameter values or requirements for this baseline.

>Discussion

The breadth of vulnerability scanning coverage can be expressed as a percentage of components within the system, by the particular types of systems, by the criticality of systems, or by the number of vulnerabilities to be checked. Conversely, the depth of vulnerability scanning coverage can be expressed as the level of the system design that the organization intends to monitor (e.g., component, module, subsystem, element). Organizations can determine the sufficiency of vulnerability scanning coverage with regard to its risk tolerance and other factors.

Scanning tools and how the tools are configured may affect the depth and coverage. Multiple scanning tools may be needed to achieve the desired depth and coverage. SP 800-53A provides additional information on the breadth and depth of coverage.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What is your organization's documented risk assessment policy and how does it address the requirements of RA-5(3)?
  • Who has been designated as responsible for conducting and maintaining risk assessments?
  • How frequently are risk assessments conducted and what triggers an update to the risk assessment?

Technical Implementation:

  • What methodology or framework do you use to conduct risk assessments?
  • How do you identify and categorize threats and vulnerabilities during the risk assessment process?
  • What tools or systems support your risk assessment activities?
  • What vulnerability scanning tools are used and how often are scans performed?

Evidence & Documentation:

  • Can you provide the most recent risk assessment report?
  • What evidence demonstrates that risk assessment findings are communicated to appropriate stakeholders?
  • Where are risk assessment results documented and how long are they retained?
  • Can you provide recent vulnerability scan reports and evidence of remediation?

Ask AI

Configure your API key to use AI features.