NISTIR 8011 Vol. 4 released: “Automation Support for Security Control Assessment: Software Vulnerability Management”

25 views
Skip to first unread message

Takamura, Eduardo K. (Fed)

unread,
Apr 29, 2020, 12:15:23 PM4/29/20
to FISMA-PROJECT

NIST publishes NIST Internal Report (NISTIR) 8011, Volume 4: Automation Support for Security Control Assessments: Software Vulnerability Management

When known software vulnerabilities are unmanaged, uncorrected, or undetected, attack vectors are left open to exploit the software. As a result, vulnerable software becomes a key target that attackers can use to initiate an attack on an organization’s network and expand control to attack other components on the network. By managing software vulnerabilities, the level of effort needed to initiate such an attack and expand control to other components on the network is greatly increased. Automated assessment of security controls that support management of known software vulnerabilities and weaknesses helps verify that the software vulnerability management capability is working. To facilitate this effort, NIST and Department of Homeland Security (DHS) researchers have developed an automated process to assess the effectiveness of the security controls that provide the information security capability known as Software Vulnerability Management (VUL), the focus of which is to manage risk created by defects present in software on the network.

 

NISTIR 8011 Volume 4, Automation Support for Security Control Assessments: Software Vulnerability Management, provides an operational approach for automating security control assessments to manage vulnerabilities in software. This approach is consistent with the NIST Risk Management Framework as described in NIST Special Publication (SP) 800-37 and the guidance in NIST SPs 800-53 and 800-53A. Previous volumes in the NISTIR 8011 series include: Volume 1 (Overview), Volume 2 (Hardware Asset Management), and Volume 3 (Software Asset Management).

 

As we review previously released volumes in the 8011 series, we would like to hear your feedback especially on implementation, lessons learned, and any suggestions for improvement. Please email your comments to: sec-...@nist.gov. Your feedback may also help us improve future volumes in the 8011 series.

 

 

-- Eduardo

 

 

Eduardo Takamura

National Institute of Standards and Technology (NIST)

Information Technology Laboratory (ITL)/Computer Security Division (CSD)

Security Engineering and Risk Management Group

FISMA Implementation Project

eduardo....@nist.gov | www.nist.gov

 

 

Reply all
Reply to author
Forward
0 new messages