RV.1.1—Gather information from software acquirers, users, and public sources on potential vulnerabilities in the software and third-party components that the software uses, and investigate all credible reports.
RV.1
>Control Description
Gather information from software acquirers, users, and public sources on potential vulnerabilities in the software and third-party components that the software uses, and investigate all credible reports.
>Practice: RV.1
Identify and Confirm Vulnerabilities on an Ongoing Basis
Help ensure that vulnerabilities are identified more quickly so that they can be remediated more quickly in accordance with risk, reducing the window of opportunity for attackers.
>Notional Implementation Examples
- 1.Monitor vulnerability databases , security mailing lists, and other sources of vulnerability reports through manual or automated means.
- 2.Use threat intelligence sources to better understand how vulnerabilities in general are being exploited.
- 3.Automatically review provenance and software composition data for all software components to identify any new vulnerabilities they have.
>Cross-Framework References
Mappings to related frameworks and standards from NIST SP 800-218
BSA FSS
VM.1-3
VM.3
BSIMM
AM1.5
CMVM1.2
CMVM2.1
CMVM3.4
CMVM3.7
CNCF SSCP
Securing Materials—Verification
EO 14028
4e(iv)
4e(vi)
4e(viii)
4e(ix)
IEC 62443
DM-1
DM-2
DM-3
ISO 29147
6.2.1
6.2.2
6.2.4
6.3
6.5
ISO 30111
7.1.3
OWASP SAMM
IM1-A
IM2-B
EH1-B
OWASP SCVS
4
PCI SSLC
3.4
4.1
9.1
SAFECode Agile
Operational Security Task 5
SAFECode FPSSD
Vulnerability Response and Disclosure
SAFECode TPC
MONITOR1
SP 800-161
SA-10
SR-3
SR-4
SP 800-181 (NICE)
K0009
K0038
K0040
K0070
K0161
K0362
S0078
Ask AI
Configure your API key to use AI features.