The NIST Model for ...
Clear all
2 Posts
1 Users
39.5 K Views
Posts: 108
Topic starter
Joined: 4 years ago

The NIST model defines controls and best practices that allow agencies to thoughtfully view the subject of vulnerability management holistically. No one size fits all mandates here. NIST Cybersecurity Framework guidance recommends the following actions as part of an overall vulnerability management and risk mitigation strategy:

  1. Asset vulnerabilities are identified and documented
  2. Threat and vulnerability information is received from information sharing forums and sources
  3. Threats both internal and external are identified and documented
  4. Threats, vulnerabilities, likelihoods and impacts are used to determine risk
  5. Risk responses are identified and prioritized
  6. Vulnerability management plan is developed and implemented
  7. Event Data are aggregated and correlated from multiple sources and sensors
  8. Vulnerability scans are performed
  9. Newly identified vulnerabilities are mitigated or documented as accepted risks



SP 800-40 Rev. 3 - Guide to Enterprise Patch Management Technologies (2013)

1 Reply
Posts: 108
Topic starter
Joined: 4 years ago

As described by NIST, vulnerability scanning is a technique used to identify hosts/host attributes and associated vulnerabilities. (Source) NIST suggests that companies employ vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: Enumerating platforms, software flaws, and improper configurations; Formatting checklists and test procedures; and Measuring vulnerability impact. (Source)