NIST 800-53 REV 5 • RISK ASSESSMENT
RA-5(3) — Breadth and Depth of Coverage
Define the breadth and depth of vulnerability scanning coverage.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
No related controls listed
Supplemental Guidance
The breadth of vulnerability scanning coverage can be expressed as a percentage of components within the system, by the particular types of systems, by the criticality of systems, or by the number of vulnerabilities to be checked. Conversely, the depth of vulnerability scanning coverage can be expressed as the level of the system design that the organization intends to monitor (e.g., component, module, subsystem, element). Organizations can determine the sufficiency of vulnerability scanning coverage with regard to its risk tolerance and other factors. Scanning tools and how the tools are configured may affect the depth and coverage. Multiple scanning tools may be needed to achieve the desired depth and coverage. [SP 800-53A](#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d) provides additional information on the breadth and depth of coverage.
Practitioner Notes
Your vulnerability scanning must cover the full breadth of your environment (all systems) and provide sufficient depth (credentialed, thorough scans, not just surface-level port scans).
Example 1: Maintain a scan coverage matrix that shows every IP range, VLAN, and cloud subscription in your environment mapped to the scanner that covers it. Identify any gaps — if you have a new cloud subscription or office network that is not being scanned, add it immediately.
Example 2: Run both unauthenticated and authenticated (credentialed) scans. Unauthenticated scans show what an attacker would see from the network. Authenticated scans log into systems and identify missing patches, misconfigurations, and software vulnerabilities that external scans cannot see. Compare the two to validate coverage.