Skip to content

Risk Assessment

Vulnerability Monitoring and Scanning

RA-05

NIST SP 800-53 Revision 5.2.0

  • Official NIST control ID: RA-05
  • Catalog version: 5.2.0
  • OSCAL version: 1.2.2
  • Catalog last modified: May 11, 2026
  • a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported;
  • b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
    • 1. Enumerating platforms, software flaws, and improper configurations;
    • 2. Formatting checklists and test procedures; and
    • 3. Measuring vulnerability impact;
  • c. Analyze vulnerability scan reports and results from vulnerability monitoring;
  • d. Remediate legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk;
  • e. Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and
  • f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.

FedRAMP Guidance

Follow the FedRAMP Vulnerability Detection and Response and Vulnerability Evaluation and Reporting rules.

Update Vulnerabilities to Be Scanned

RA-05(02)

NIST SP 800-53 Revision 5.2.0

  • Official NIST control ID: RA-05(02)
  • Catalog version: 5.2.0
  • OSCAL version: 1.2.2
  • Catalog last modified: May 11, 2026

Update the system vulnerabilities to be scanned [Selection: one or more of: prior to a new scan; when new vulnerabilities are identified and reported].

FedRAMP Guidance

Follow the FedRAMP Vulnerability Detection and Response and Vulnerability Evaluation and Reporting rules.

Breadth and Depth of Coverage

RA-05(03)

NIST SP 800-53 Revision 5.2.0

  • Official NIST control ID: RA-05(03)
  • Catalog version: 5.2.0
  • OSCAL version: 1.2.2
  • Catalog last modified: May 11, 2026

Define the breadth and depth of vulnerability scanning coverage.

FedRAMP Guidance

Follow the FedRAMP Vulnerability Detection and Response and Vulnerability Evaluation and Reporting rules.

Discoverable Information

RA-05(04)

NIST SP 800-53 Revision 5.2.0

  • Official NIST control ID: RA-05(04)
  • Catalog version: 5.2.0
  • OSCAL version: 1.2.2
  • Catalog last modified: May 11, 2026

Determine information about the system that is discoverable and take [Assignment: organization-defined corrective actions].

FedRAMP Guidance

Follow the FedRAMP Vulnerability Detection and Response and Vulnerability Evaluation and Reporting rules.

Privileged Access

RA-05(05)

NIST SP 800-53 Revision 5.2.0

  • Official NIST control ID: RA-05(05)
  • Catalog version: 5.2.0
  • OSCAL version: 1.2.2
  • Catalog last modified: May 11, 2026

Implement privileged access authorization to [Assignment: organization-defined system components] for [Assignment: organization-defined vulnerability scanning activities].

FedRAMP Guidance

Follow the FedRAMP Vulnerability Detection and Response and Vulnerability Evaluation and Reporting rules.

Review Historic Audit Logs

RA-05(08)

NIST SP 800-53 Revision 5.2.0

  • Official NIST control ID: RA-05(08)
  • Catalog version: 5.2.0
  • OSCAL version: 1.2.2
  • Catalog last modified: May 11, 2026

Review historic audit logs to determine if a vulnerability identified in a [Assignment: organization-defined system] has been previously exploited within an [Assignment: organization-defined time period].

FedRAMP Guidance

Follow the FedRAMP Vulnerability Detection and Response and Vulnerability Evaluation and Reporting rules.

Public Disclosure Program

RA-05(11)

NIST SP 800-53 Revision 5.2.0

  • Official NIST control ID: RA-05(11)
  • Catalog version: 5.2.0
  • OSCAL version: 1.2.2
  • Catalog last modified: May 11, 2026

Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components.

FedRAMP Guidance

Follow the FedRAMP Vulnerability Detection and Response and Vulnerability Evaluation and Reporting rules.

Risk Response

RA-07

NIST SP 800-53 Revision 5.2.0

  • Official NIST control ID: RA-07
  • Catalog version: 5.2.0
  • OSCAL version: 1.2.2
  • Catalog last modified: May 11, 2026

Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance.

FedRAMP Guidance

Follow the FedRAMP Vulnerability Detection and Response and Vulnerability Evaluation and Reporting rules.

Comments