Email this Article Email   

CHIPS Articles: Automated Assessments for Software Security Control

Automated Assessments for Software Security Control
NIST Publishes NISTIR 8011 Vol. 4
By CHIPS Magazine - April 30, 2020
When known software vulnerabilities are unmanaged, uncorrected, or undetected, attack vectors are open to exploitation. As a result, vulnerable software becomes a key target that cybercriminals can use to initiate an attack on an organization’s network and further expand control to attack other components within the weakened network. However, by mitigating software vulnerabilities, the level of effort needed to initiate such an attack and expand control to other network components is substantially increased, National Institute of Standards and Technology officials advised.

Automated assessment of security controls that support management of known software vulnerabilities and weaknesses helps verify that the software vulnerability management capability is working. To facilitate this effort, NIST and Department of Homeland Security (DHS) researchers developed an automated process to assess the effectiveness of the security controls that provide the information security capability known as Software Vulnerability Management (VUL), the focus of which is to manage risk created by defects present in software on the network.

Automation Support for Security Control Assessments: Software Vulnerability Management, provides an operational approach for automating security control assessments to manage vulnerabilities in software. This approach is consistent with the NIST Risk Management Framework as described in NIST Special Publication (SP) 800-37 and the guidance in NIST SPs 800-53 and 800-53A.

NISTIR 8011 Volume 4
https://csrc.nist.gov/publications/detail/nistir/8011/vol-4/final

Previous volumes in the NISTIR 8011 series include:

Volume 1 (Overview)
https://csrc.nist.gov/publications/detail/nistir/8011/vol-1/finall

Volume 2 (Hardware Asset Management)
https://csrc.nist.gov/publications/detail/nistir/8011/vol-2/final

and Volume 3 (Software Asset Management)
https://csrc.nist.gov/publications/detail/nistir/8011/vol-3/final

NISTIR 8011 Vol. 4
https://csrc.nist.gov/publications/detail/nistir/8011/vol-4/final

SP 800-37 Rev. 2
https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final

SP 800-53 Rev. 4
https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final

SP 800-53A Rev. 4
https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final

NISTIR 8011 Vol. 1
https://csrc.nist.gov/publications/detail/nistir/8011/vol-1/final

NISTIR 8011 Vol. 2
https://csrc.nist.gov/publications/detail/nistir/8011/vol-2/final

NISTIR 8011 Vol. 3
https://csrc.nist.gov/publications/detail/nistir/8011/vol-3/final

Related CHIPS Articles
Related DON CIO News
Related DON CIO Policy

CHIPS is an official U.S. Navy website sponsored by the Department of the Navy (DON) Chief Information Officer, the Department of Defense Enterprise Software Initiative (ESI) and the DON's ESI Software Product Manager Team at Space and Naval Warfare Systems Center Pacific.

Online ISSN 2154-1779; Print ISSN 1047-9988
Hyperlink Disclaimer