Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family RA

RA-5Vulnerability Monitoring and Scanning

Monitor and scan for vulnerabilities in the system and hosted applications {{ insert: param, ra-5_prm_1 }} and when new vulnerabilities potentially affecting the system are identified and reported; Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: Enumerating platforms, software flaws, and improper configurations; Formatting checklists and test procedures; and Measuring vulnerability impact; Analyze vulnerability scan reports and results from vulnerability monitoring; Remediate legitimate vulnerabilities {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk; Share information obtained from the vulnerability monitoring process and control assessments with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems; and Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: mostly · 7 mapping(s) from 1 framework(s): CSF 2.0 7 (mostly)

See the full cumulative-coverage rollup →

Implementations targeting this control (0)

ATT&CK techniques this control mitigates (107)

Weaknesses this control addresses (9)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-284Improper Access Control5,367Scans identify improper access control implementations and missing protections on system resources.
CWE-306Missing Authentication for Critical Function2,820Tools routinely check for missing authentication on critical functions and exposed interfaces.
CWE-732Incorrect Permission Assignment for Critical Resource1,874Permission and ACL misconfigurations on critical resources are standard findings in automated scans.
CWE-327Use of a Broken or Risky Cryptographic Algorithm777Scanners flag use of broken or weak cryptographic algorithms via known-vulnerability databases.
CWE-311Missing Encryption of Sensitive Data554Monitoring detects missing encryption of sensitive data in storage or transit configurations.
CWE-1188Initialization of a Resource with an Insecure Default335Scans detect resources initialized with insecure defaults that create exploitable conditions.
CWE-521Weak Password Requirements308Vulnerability scans assess password policies and weak credential requirements against benchmarks.
CWE-15External Control of System or Configuration Setting69Vulnerability scanners directly detect externally controllable or misconfigured settings using standardized checklists.
CWE-1104Use of Unmaintained Third Party Components21Regular scanning with updatable vulnerability feeds directly identifies unmaintained third-party components.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
CVE-2026-3910 KEV10.08.80.0200good
CVE-2026-2441 KEV10.08.80.2202partial
CVE-2025-37164 KEV10.010.00.8973good
CVE-2025-24991 KEV10.05.50.0185good
CVE-2025-5419 KEV UPD10.08.80.0646good
CVE-2024-9537 KEV10.09.80.0385partial
CVE-2024-7965 KEV10.08.80.1723partial
CVE-2024-58136 KEV10.09.00.8778partial
CVE-2021-31166 KEV10.09.80.9972partial
CVE-2025-665168.08.40.7981partial
CVE-2026-339427.09.80.0062good
CVE-2026-32304 UPD7.09.80.0057good
CVE-2026-215367.09.80.0160good
CVE-2026-26287.09.80.0086good
CVE-2025-712437.09.80.0513partial
CVE-2026-09077.09.80.0025good
CVE-2026-09067.09.80.0032good
CVE-2025-460707.09.80.0044good
CVE-2026-216757.09.80.0039good
CVE-2025-275547.09.90.0074partial
CVE-2026-35051 UPD7.010.00.0027good
CVE-2023-255747.010.00.0033good
CVE-2024-389857.09.80.0074good
CVE-2024-242927.09.80.0072good
CVE-2025-276757.09.80.0071partial

Other controls in family RA

RA-1 RA-10 RA-2 RA-3 RA-4 RA-6 RA-7 RA-8 RA-9