The NIST Model for Vulnerability Management
The NIST model defines controls and best practices that allow agencies to thoughtfully view the subject of vulnerability management holistically. No one size fits all mandates here. NIST Cybersecurity Framework guidance recommends the following actions as part of an overall vulnerability management and risk mitigation strategy:
- Asset vulnerabilities are identified and documented
- Threat and vulnerability information is received from information sharing forums and sources
- Threats both internal and external are identified and documented
- Threats, vulnerabilities, likelihoods and impacts are used to determine risk
- Risk responses are identified and prioritized
- Vulnerability management plan is developed and implemented
- Event Data are aggregated and correlated from multiple sources and sensors
- Vulnerability scans are performed
- Newly identified vulnerabilities are mitigated or documented as accepted risks
SP 800-40 Rev. 3 - Guide to Enterprise Patch Management Technologies (2013)
As described by NIST, vulnerability scanning is a technique used to identify hosts/host attributes and associated vulnerabilities. (Source) NIST suggests that companies employ vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: Enumerating platforms, software flaws, and improper configurations; Formatting checklists and test procedures; and Measuring vulnerability impact. (Source)
- Assured Compliance Assessment Solution (ACAS)
ACAS consists of a suite of products to include the Security Center, Nessus Scanner and the Nessus Network Monitor which is provided by DISA to DoD Customers at no cost.
- Credentialed Vulnerability Scanning
This brief slideshow presentation discusses general vulnerability concepts and stresses the importance of using administrator credentials for scanning.
- Introduction to Vulnerability Scanning Video
In this video a security engineer introduces the viewer to NIST SP 800-171 Control 3.11.2 and vulnerability scanning.
- Open Web Application Security Project (OWASP) – Vulnerability Scanning Tools
Open Web Application Security Project (OWASP) provides a list of commercial and free vulnerability scanning tools for various platforms.
- SANS Whitepaper – Implementing a Vulnerability Management Process
This SANS whitepaper looks at how a vulnerability management process could be designed and implemented within an organization.
- SANS Whitepaper – Vulnerabilities & Vulnerability Scanning
This SANS whitepaper discusses the benefits and pitfalls of Vulnerability Scanning suggests an approach suitable for small and medium-sized businesses.
- State of Alabama – Vulnerability Scanning Policy
The policy below is an example from the state of Alabama of a vulnerability scanning policy.
- BrightTALK – Is Your Vulnerability Management Program Vulnerable?
In this two part webinar from BrightTALK discusses key challenges and pitfalls most vulnerability management programs face.
- National Cybersecurity Assessments and Technical Services (NCATS)
NCATS is a service from the DHS that performs regular network and vulnerability scans and delivers a weekly report for your action.
- NIST Handbook 162 NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements
This Handbook provides a step-by-step guide to assessing a small manufacturer’s information systems against the security requirements in NIST SP 800-171 rev 1.
- NIST SP 800-115 Technical Guide to Information Security Testing and Assessment
This NIST Special Publication is a guide to the basic technical aspects of conducting information security assessments.
- NIST SP 800-171A Assessing Security Requirements for Controlled Unclassified Information
The purpose of this publication is to provide procedures for assessing the CUI requirements in NIST Special Publication 800-171.