NIST 800-53 r5 · Controls catalogue · Family RA
RA-5Vulnerability Monitoring and Scanning
Monitor and scan for vulnerabilities in the system and hosted applications {{ insert: param, ra-5_prm_1 }} and when new vulnerabilities potentially affecting the system are identified and reported; Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: Enumerating platforms, software flaws, and improper configurations; Formatting checklists and test procedures; and Measuring vulnerability impact; Analyze vulnerability scan reports and results from vulnerability monitoring; Remediate legitimate vulnerabilities {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk; Share information obtained from the vulnerability monitoring process and control assessments with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems; and Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: mostly · 7 mapping(s) from 1 framework(s): CSF 2.0 7 (mostly)
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (107)
- T1011.001 Exfiltration Over Bluetooth Exfiltration
- T1021.001 Remote Desktop Protocol Lateral Movement
- T1021.003 Distributed Component Object Model Lateral Movement
- T1021.004 SSH Lateral Movement
- T1021.005 VNC Lateral Movement
- T1021.006 Windows Remote Management Lateral Movement
- T1046 Network Service Discovery Discovery
- T1047 Windows Management Instrumentation Execution
- T1052 Exfiltration Over Physical Medium Exfiltration
- T1052.001 Exfiltration over USB Exfiltration
- T1053 Scheduled Task/Job Execution, Persistence, Privilege Escalation
- T1053.002 At Execution, Persistence, Privilege Escalation
- T1053.003 Cron Execution, Persistence, Privilege Escalation
- T1053.005 Scheduled Task Execution, Persistence, Privilege Escalation
- T1059 Command and Scripting Interpreter Execution
- T1059.001 PowerShell Execution
- T1059.005 Visual Basic Execution
- T1059.007 JavaScript Execution
- T1068 Exploitation for Privilege Escalation Privilege Escalation
- T1078 Valid Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1091 Replication Through Removable Media Lateral Movement, Initial Access
- T1092 Communication Through Removable Media Command And Control
- T1098.004 SSH Authorized Keys Persistence, Privilege Escalation
- T1127 Trusted Developer Utilities Proxy Execution Stealth, Execution
- T1127.001 MSBuild Stealth, Execution
- T1127.002 ClickOnce Stealth, Execution
- T1133 External Remote Services Persistence, Initial Access
- T1137 Office Application Startup Persistence
- T1137.001 Office Template Macros Persistence
- T1176 Software Extensions Persistence
- T1190 Exploit Public-Facing Application Initial Access
- T1195 Supply Chain Compromise Initial Access
- T1195.001 Compromise Software Dependencies and Development Tools Initial Access
- T1195.002 Compromise Software Supply Chain Initial Access
- T1204.003 Malicious Image Execution
- T1210 Exploitation of Remote Services Lateral Movement
- T1211 Exploitation for Stealth Stealth
- T1212 Exploitation for Credential Access Credential Access
- T1213 Data from Information Repositories Collection
- T1213.001 Confluence Collection
- T1213.002 Sharepoint Collection
- T1213.003 Code Repositories Collection
- T1213.005 Messaging Applications Collection
- T1218 System Binary Proxy Execution Stealth
- T1218.003 CMSTP Stealth
- T1218.004 InstallUtil Stealth
- T1218.005 Mshta Stealth
- T1218.008 Odbcconf Stealth
- T1218.009 Regsvcs/Regasm Stealth
- T1218.012 Verclsid Stealth
Weaknesses this control addresses (9)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-284 | Improper Access Control | 5,367 | Scans identify improper access control implementations and missing protections on system resources. |
CWE-306 | Missing Authentication for Critical Function | 2,820 | Tools routinely check for missing authentication on critical functions and exposed interfaces. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,874 | Permission and ACL misconfigurations on critical resources are standard findings in automated scans. |
CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | 777 | Scanners flag use of broken or weak cryptographic algorithms via known-vulnerability databases. |
CWE-311 | Missing Encryption of Sensitive Data | 554 | Monitoring detects missing encryption of sensitive data in storage or transit configurations. |
CWE-1188 | Initialization of a Resource with an Insecure Default | 335 | Scans detect resources initialized with insecure defaults that create exploitable conditions. |
CWE-521 | Weak Password Requirements | 308 | Vulnerability scans assess password policies and weak credential requirements against benchmarks. |
CWE-15 | External Control of System or Configuration Setting | 69 | Vulnerability scanners directly detect externally controllable or misconfigured settings using standardized checklists. |
CWE-1104 | Use of Unmaintained Third Party Components | 21 | Regular scanning with updatable vulnerability feeds directly identifies unmaintained third-party components. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2026-3910 KEV | 10.0 | 8.8 | 0.0200 | good |
CVE-2026-2441 KEV | 10.0 | 8.8 | 0.2202 | partial |
CVE-2025-37164 KEV | 10.0 | 10.0 | 0.8973 | good |
CVE-2025-24991 KEV | 10.0 | 5.5 | 0.0185 | good |
CVE-2025-5419 KEV UPD | 10.0 | 8.8 | 0.0646 | good |
CVE-2024-9537 KEV | 10.0 | 9.8 | 0.0385 | partial |
CVE-2024-7965 KEV | 10.0 | 8.8 | 0.1723 | partial |
CVE-2024-58136 KEV | 10.0 | 9.0 | 0.8778 | partial |
CVE-2021-31166 KEV | 10.0 | 9.8 | 0.9972 | partial |
CVE-2025-66516 | 8.0 | 8.4 | 0.7981 | partial |
CVE-2026-33942 | 7.0 | 9.8 | 0.0062 | good |
CVE-2026-32304 UPD | 7.0 | 9.8 | 0.0057 | good |
CVE-2026-21536 | 7.0 | 9.8 | 0.0160 | good |
CVE-2026-2628 | 7.0 | 9.8 | 0.0086 | good |
CVE-2025-71243 | 7.0 | 9.8 | 0.0513 | partial |
CVE-2026-0907 | 7.0 | 9.8 | 0.0025 | good |
CVE-2026-0906 | 7.0 | 9.8 | 0.0032 | good |
CVE-2025-46070 | 7.0 | 9.8 | 0.0044 | good |
CVE-2026-21675 | 7.0 | 9.8 | 0.0039 | good |
CVE-2025-27554 | 7.0 | 9.9 | 0.0074 | partial |
CVE-2026-35051 UPD | 7.0 | 10.0 | 0.0027 | good |
CVE-2023-25574 | 7.0 | 10.0 | 0.0033 | good |
CVE-2024-38985 | 7.0 | 9.8 | 0.0074 | good |
CVE-2024-24292 | 7.0 | 9.8 | 0.0072 | good |
CVE-2025-27675 | 7.0 | 9.8 | 0.0071 | partial |