SA-15(7)

  • Requirement

    Require the developer of the system, system component, or system service [Assignment: organization-defined frequency] to:

    1. Perform an automated vulnerability analysis using [Assignment: organization-defined tools];
    2. Determine the exploitation potential for discovered vulnerabilities;
    3. Determine potential risk mitigations for delivered vulnerabilities; and
    4. Deliver the outputs of the tools and results of the analysis to [Assignment: organization-defined personnel or roles].
  • Discussion

    Automated tools can be more effective at analyzing exploitable weaknesses or deficiencies in large and complex systems, prioritizing vulnerabilities by severity, and providing recommendations for risk mitigations.

More Info

  • Title

    Development Process, Standards, and Tools | Automated Vulnerability Analysis
  • Family

    System and Services Acquisition
  • NIST 800-53B Baseline(s)

    • Related NIST 800-53 ID

      RA-5;SA-11

    NIST 800-53A Assessment Guidance

    CMMC Training

    Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!