VPM-06.6 · External Vulnerability Assessment Scans

Control Description

Mechanisms exist to perform quarterly external vulnerability scans (outside the organization's network looking inward) via a reputable vulnerability service provider, which include rescans until passing results are obtained or all “high” vulnerabilities are resolved, as defined by the Common Vulnerability Scoring System (CVSS).

Control Question
Assessment question for control validation

Does the organization perform quarterly external vulnerability scans (outside its network looking inward) via a reputable vulnerability service provider, which include rescans until passing results are obtained or all “high” vulnerabilities are resolved, as defined by the Common Vulnerability Scoring System (CVSS)?

Control Weighting
9
Validation Cadence
Semi-Annual
NIST CSF Function
Detect
Supply Chain Risk Management (SCRM) Tiers
Applicable SCRM tier levels for this control
Tier 2 - Operational
Tier 3 - Tactical