The organization: RA-5a.
Scans for vulnerabilities in the information system and hosted applications Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process and when new vulnerabilities potentially affecting the system/applications are identified and reported; RA-5b.
Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: RA-5b.1.
Enumerating platforms, software flaws, and improper configurations; RA-5b.2.
Formatting checklists and test procedures; and RA-5b.3.
Measuring vulnerability impact; RA-5c.
Analyzes vulnerability scan reports and results from security control assessments; RA-5d.
Remediates legitimate vulnerabilities Assignment: organization-defined response times in accordance with an organizational assessment of risk; and RA-5e.
Shares information obtained from the vulnerability scanning process and security control assessments with Assignment: organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).