RA-5 (05)—Vulnerability Monitoring and Scanning | Privileged Access

Moderate

High

>Control Description

Implement privileged access authorization to ⚙organization-defined system components for ⚙organization-defined vulnerability scanning activities.

>FedRAMP Baseline Requirements

No FedRAMP-specific parameter values or requirements for this baseline.

>Discussion

In certain situations, the nature of the vulnerability scanning may be more intrusive, or the system component that is the subject of the scanning may contain classified or controlled unclassified information, such as personally identifiable information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and protects the sensitive nature of such scanning.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

•What is your organization's documented risk assessment policy and how does it address the requirements of RA-5(5)?
•Who has been designated as responsible for conducting and maintaining risk assessments?
•How frequently are risk assessments conducted and what triggers an update to the risk assessment?

Technical Implementation:

•What methodology or framework do you use to conduct risk assessments?
•How do you identify and categorize threats and vulnerabilities during the risk assessment process?
•What tools or systems support your risk assessment activities?
•What vulnerability scanning tools are used and how often are scans performed?

Evidence & Documentation:

•Can you provide the most recent risk assessment report?
•What evidence demonstrates that risk assessment findings are communicated to appropriate stakeholders?
•Where are risk assessment results documented and how long are they retained?
•Can you provide recent vulnerability scan reports and evidence of remediation?

Ask AI

Configure your API key to use AI features.