VPM-06.8: Acceptable Discoverable Information
Mechanisms exist to define what information is allowed to be discoverable by adversaries and take corrective actions to remediate non-compliant Technology Assets, Applications and/or Services (TAAS).
Control Question: Does the organization define what information is allowed to be discoverable by adversaries and take corrective actions to remediate non-compliant Technology Assets, Applications and/or Services (TAAS)?
General (10)
| Framework | Mapping Values |
|---|---|
| GovRAMP High | RA-05(04) |
| NIST 800-53 R4 | RA-5(4) |
| NIST 800-53 R4 (high) | RA-5(4) |
| NIST 800-53 R5 (source) | RA-5(4) |
| NIST 800-53B R5 (high) (source) | RA-5(4) |
| NIST 800-82 R3 HIGH OT Overlay | RA-5(4) |
| PCI DSS 4.0.1 (source) | 1.4.5 |
| PCI DSS 4.0.1 SAQ A-EP (source) | 1.4.5 |
| PCI DSS 4.0.1 SAQ D Merchant (source) | 1.4.5 |
| PCI DSS 4.0.1 SAQ D Service Provider (source) | 1.4.5 |
US (5)
| Framework | Mapping Values |
|---|---|
| US FedRAMP R4 | RA-5(4) |
| US FedRAMP R4 (high) | RA-5(4) |
| US FedRAMP R5 (source) | RA-5(4) |
| US FedRAMP R5 (high) (source) | RA-5(4) |
| US IRS 1075 | RA-5(4) |
APAC (1)
| Framework | Mapping Values |
|---|---|
| APAC New Zealand NZISM 3.6 | 14.1.14.C.01 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to define what information is allowed to be discoverable by adversaries and take corrective actions to remediate non-compliant Technology Assets, Applications and/or Services (TAAS).
Level 1 — Performed Informally
Vulnerability & Patch Management (VPM) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Attack Surface Management (ASM) is decentralized.
- IT personnel apply software patches through an informal process.
- Occasional vulnerability scanning is conducted on High Value Assets (HVAs).
Level 2 — Planned & Tracked
Vulnerability & Patch Management (VPM) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls to address applicable statutory, regulatory and contractual requirements for ASM. o Apply software patches and other vulnerability remediation efforts.
- Attack Surface Management (ASM) is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel:
- Administrative processes and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.
- Administrative processes and technologies prevent the public disclosure of internal address information.
Level 3 — Well Defined
Vulnerability & Patch Management (VPM) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Defines the scope of ASM activities. o Provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, Technology Assets, Applications and/or Services (TAAS), services and data with regards to ASM. o Provides oversight of ASM activities to centrally manage the flaw remediation process as part of the organization's overall Patch& Vulnerability & Patch Management Program (VPMP). o Manages the identification, tracking and remediation of vulnerabilities. o Utilizes a Security Incident Event monitor (SIEM), or similar automated tool, to monitor for unauthorized activities, accounts, connections, devices and software according to organization-specific Indicators of Compromise (IoC), including feeds from applications, hosts, network devices and vulnerability scanners.
- An IT Asset Management (ITAM) function, or similar function, categorizes devices according to the data the asset stores, transmits and/ or processes and applies the appropriate technology controls to protect the asset and data.
- A Governance, Risk & Compliance (GRC) function, or similar function:
- A Security Operations Center (SOC), or similar function:
- Asset custodians install the latest stable version of security-related updates on all Technology Assets, Applications and/or Services (TAAS) within the organization-defined time requirements.
- Administrative processes and technologies prevent the public disclosure of internal address information.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to define what information is allowed to be discoverable by adversaries and take corrective actions to remediate non-compliant Technology Assets, Applications and/or Services (TAAS).
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to define what information is allowed to be discoverable by adversaries and take corrective actions to remediate non-compliant Technology Assets, Applications and/or Services (TAAS).
Assessment Objectives
- VPM-06.8_A01 corrective actions to be taken if information about the system is discoverable are defined.
- VPM-06.8_A02 corrective actions are taken when information about the system is confirmed as discoverable.
- VPM-06.8_A03 information about the system is discoverable.