NOTICE: Due to a lapse in annual appropriations, most of this website is not being updated. Learn more.

Form submissions will still be accepted but will not receive responses at this time. Sections of this site for programs using non-appropriated funds (such as NVLAP) or those that are excepted from the shutdown (such as CHIPS and NVD) will continue to be updated.

U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

PUBLICATIONS

Automation Support for Security Control Assessments: Software Vulnerability Management

Published

Author(s)

Kelley L. Dempsey, Eduardo K. Takamura, Paul Eavy, George Moore

Abstract

The NISTIR 8011 capability-specific volumes focus on the automation of security control assessment within each individual information security capability. The capability-specific volumes add tangible detail to the more general overview given in NISTIR 8011 Volume 1, providing a template for transition to a detailed, NIST standards-compliant automated assessment. This document, Volume 4 of NISTIR 8011, addresses automating the assessment of security controls that support the software vulnerability management security capability to facilitate the management of risk created by defects present in software on the network. Software vulnerability management, in the scope of this document, focuses on known defects that have been discovered in software in use on a system. The Common Weakness Enumeration (CWE) provides identifiers for weaknesses that result from poor coding practices and have the potential to result in software vulnerabilities. The Common Vulnerabilities and Exposures (CVEs) program provides a list of many known vulnerabilities. Together, CVE and CWE are used to identify software defects and the weaknesses that cause a given defect. Vulnerable software is a key target that attackers use to initiate an attack internally and to expand control.
Citation
NIST Interagency/Internal Report (NISTIR) - 8011 Vol. 4
Report Number
8011 Vol. 4
NIST Pub Series
NIST Interagency/Internal Report (NISTIR)
Pub Type
NIST Pubs

Download Paper

DOI Link

Keywords

actual state, assessment, authorization boundary, automation, capability, Common Vulnerability and Exposure (CVE), Common Weakness Enumeration (CWE), dashboard, defect, desired state specification, dynamic code analyzer, Information Security Continuous Monitoring (ISCM), malicious code, malware, mitigation, ongoing assessment, patch management, root cause analysis, security capability, security control item, security control, software file, Software Identification (SWID) tag, software injection, software product, software vulnerability, software weakness, software, static code analyzer
Risk management

Citation

Dempsey, K. , Takamura, E. , Eavy, P. and Moore, G. (2020), Automation Support for Security Control Assessments: Software Vulnerability Management, NIST Interagency/Internal Report (NISTIR), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.IR.8011-4 (Accessed October 9, 2025)

Issues

If you have any questions about this publication or are having problems accessing it, please contact [email protected].

Created April 27, 2020, Updated October 12, 2021
Was this page helpful?