VPM-06.7: Internal Vulnerability Assessment Scans

VPM-06.7 · Internal Vulnerability Assessment Scans

Control Description

Mechanisms exist to perform quarterly internal vulnerability scans, which includes all segments of the organization's internal network, as well as rescans until passing results are obtained or all “high” vulnerabilities are resolved, as defined by the Common Vulnerability Scoring System (CVSS).

Control Question

Assessment question for control validation

Does the organization perform quarterly internal vulnerability scans, which includes all segments of its internal network, as well as rescans until passing results are obtained or all “high” vulnerabilities are resolved, as defined by the Common Vulnerability Scoring System (CVSS)?

Control Weighting

Validation Cadence

Semi-Annual

NIST CSF Function

Detect

Supply Chain Risk Management (SCRM) Tiers

Applicable SCRM tier levels for this control

Tier 2 - Operational

Tier 3 - Tactical