VPM-01.1: Attack Surface Scope
Mechanisms exist to define and manage the scope for its attack surface management activities.
Control Question: Does the organization define and manage the scope for its attack surface management activities?
General (27)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC2.2-POF9 CC3.2-POF7 CC3.2-POF9 CC3.4-POF6 CC9.2-POF13 |
| COBIT 2019 | MEA01.01 |
| CSA CCM 4 | TVM-07 |
| CSA IoT SCF 2 | CLS-06 VLN-02 SET-01 SET-04 |
| ISO/SAE 21434 2021 | RQ-09-01.a RQ-09-01.b RQ-09-01.c RQ-09-02 |
| ISO 27002 2022 | 8.8 |
| ISO 42001 2023 | 4.3 |
| MPA Content Security Program 5.1 | TS-4.0 |
| NIST 800-53 R5 (source) | SA-11(6) SA-11(7) |
| NIST 800-53 R5 (NOC) (source) | SA-11(6) SA-11(7) |
| NIST 800-171 R3 (source) | 03.11.02.a 03.14.01.a |
| NIST 800-171A R3 (source) | A.03.11.02.a[01] |
| NIST CSF 2.0 (source) | PR.PS-02 |
| PCI DSS 4.0.1 (source) | 6.3.1 6.3.2 11.3.1 11.3.1.1 11.3.1.2 11.3.1.3 11.3.2 11.3.2.1 |
| PCI DSS 4.0.1 SAQ A (source) | 6.3.1 11.3.2 11.3.2.1 |
| PCI DSS 4.0.1 SAQ A-EP (source) | 6.3.1 6.3.2 11.3.2 11.3.2.1 |
| PCI DSS 4.0.1 SAQ B-IP (source) | 6.3.1 11.3.2 |
| PCI DSS 4.0.1 SAQ C (source) | 6.3.1 11.3.1 11.3.1.3 11.3.2 11.3.2.1 |
| PCI DSS 4.0.1 SAQ C-VT (source) | 6.3.1 |
| PCI DSS 4.0.1 SAQ D Merchant (source) | 6.3.1 6.3.2 11.3.1 11.3.1.1 11.3.1.2 11.3.1.3 11.3.2 11.3.2.1 |
| PCI DSS 4.0.1 SAQ D Service Provider (source) | 6.3.1 6.3.2 11.3.1 11.3.1.1 11.3.1.2 11.3.1.3 11.3.2 11.3.2.1 |
| SWIFT CSF 2023 | 2.2 2.7 7.3A |
| TISAX ISA 6 | 5.2.5 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | VPM-01.1 |
| SCF CORE ESP Level 1 Foundational | VPM-01.1 |
| SCF CORE ESP Level 2 Critical Infrastructure | VPM-01.1 |
| SCF CORE ESP Level 3 Advanced Threats | VPM-01.1 |
US (9)
| Framework | Mapping Values |
|---|---|
| US C2M2 2.1 | THREAT-1.A.MIL1 THREAT-1.B.MIL1 THREAT-1.D.MIL1 THREAT-1.E.MIL2 THREAT-1.J.MIL3 |
| US CERT RMM 1.2 | VAR:SG1.SP1 |
| US CISA CPG 2022 | 1.E 1.F |
| US DHS ZTCF | CLO-02 EPM-02 |
| US FCA CRM | 609.930(c)(2) |
| US IRS 1075 | SA-11(6) |
| US NNPI (unclass) | 9.1 17.1 |
| US - CA CCPA 2025 | 7123(c)(5)(D) |
| US - NY DFS 23 NYCRR500 2023 Amd 2 | 500.5(a)(1) |
EMEA (5)
| Framework | Mapping Values |
|---|---|
| EMEA Germany C5 2020 | PSS-02 |
| EMEA Saudi Arabia CSCC-1 2019 | 2-10-1-1 |
| EMEA Saudi Arabia ECC-1 2018 | 2-11-3-1 5-1-3-8 |
| EMEA Saudi Arabia OTCC-1 2022 | 2-9-1-1 |
| EMEA Saudi Arabia SACS-002 | TPC-27 TPC-28 TPC-29 |
APAC (3)
| Framework | Mapping Values |
|---|---|
| APAC Japan ISMAP | 4.4.4 |
| APAC New Zealand NZISM 3.6 | 6.2.4.C.01 |
| APAC Singapore MAS TRM 2021 | 13.1.2 |
Americas (1)
| Framework | Mapping Values |
|---|---|
| Americas Canada ITSP-10-171 | 03.11.02.A 03.14.01.A |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to define and manage the scope for its attack surface management activities.
Level 1 — Performed Informally
Vulnerability & Patch Management (VPM) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Attack Surface Management (ASM) is decentralized.
- IT personnel apply software patches through an informal process.
- Occasional vulnerability scanning is conducted on High Value Assets (HVAs).
Level 2 — Planned & Tracked
Vulnerability & Patch Management (VPM) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Defines the scope of ASM activities. o Identify cybersecurity and data protection controls to address applicable statutory, regulatory and contractual requirements for ASM. o Apply software patches and other vulnerability remediation efforts.
- Attack Surface Management (ASM) is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel:
- Administrative processes and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.
Level 3 — Well Defined
Vulnerability & Patch Management (VPM) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Defines the scope of ASM activities. o Provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data with regards to ASM. o Provides oversight of ASM activities to centrally manage the flaw remediation process as part of the organization's overall Patch& Vulnerability & Patch Management Program (VPMP). o Manages the identification, tracking and remediation of vulnerabilities. o Utilizes a Security Incident Event monitor (SIEM), or similar automated tool, to monitor for unauthorized activities, accounts, connections, devices and software according to organization-specific Indicators of Compromise (IoC), including feeds from applications, hosts, network devices and vulnerability scanners.
- An IT Asset Management (ITAM) function, or similar function, categorizes devices according to the data the asset stores, transmits and/ or processes and applies the appropriate technology controls to protect the asset and data.
- A Governance, Risk & Compliance (GRC) function, or similar function:
- A Security Operations Center (SOC), or similar function:
- Asset custodians install the latest stable version of security-related updates on all systems within the organization-defined time requirements.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to define and manage the scope for its attack surface management activities.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to define and manage the scope for its attack surface management activities.
Assessment Objectives
- VPM-01.1_A01 the breadth of testing and evaluation of required controls is defined.
- VPM-01.1_A02 the depth of testing and evaluation of required controls is defined.
- VPM-01.1_A03 system, applications and services are monitored for vulnerabilities per an organization-defined frequency.
- VPM-01.1_A04 systems and system components are included in the scope of the specified enhanced security requirements.
- VPM-01.1_A05 systems and system components that are not included in systems and system components are segregated in purpose-specific networks.
- VPM-01.1_A06 the developer of the system, system component or system service is required to perform attack surface reviews.
- VPM-01.1_A07 the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that produces evidence that meets an organization-defined breadth.
- VPM-01.1_A08 the developer of the system, system component, or system service is required to verify that the scope of testing and evaluation provides complete coverage of the required controls at an organization-defined depth.
- VPM-01.1_A09 the system is monitored for vulnerabilities <A.03.11.02.ODP[01]: frequency>.
Evidence Requirements
- E-VPM-06 Attack Surface Scope
-
Documented evidence of the organization defining its attack surface (e.g., may be in the form of graphical network diagrams or other forms of written documentation).
Vulnerability Management