NIST 800-53 REV 5 • RISK ASSESSMENT

RA-5(5)Privileged Access

Implement privileged access authorization to {{ insert: param, ra-05.05_odp.01 }} for {{ insert: param, ra-05.05_odp.02 }}.

CMMC Practice Mapping

NIST 800-171 Mapping

Related Controls

No related controls listed

Supplemental Guidance

In certain situations, the nature of the vulnerability scanning may be more intrusive, or the system component that is the subject of the scanning may contain classified or controlled unclassified information, such as personally identifiable information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and protects the sensitive nature of such scanning.

Practitioner Notes

Some vulnerability scans require privileged (administrator-level) access to properly assess the system. Running credentialed scans provides significantly more accurate and complete results.

Example 1: Create dedicated service accounts for vulnerability scanning with local administrator privileges on target systems. Use a unique account per scan zone, store credentials in a vault (CyberArk, Azure Key Vault), and rotate passwords after each scan cycle.

Example 2: In your Tenable or Qualys configuration, set up scan credentials using domain service accounts with appropriate privileges. Verify credentialed scan success by checking the authentication status in scan results — if a system shows 'authentication failure,' the scan results for that system are incomplete and should not be trusted.

More Risk Assessment Controls

RA-1 Policy and Procedures RA-2 Security Categorization RA-2(1) Impact-level Prioritization RA-3 Risk Assessment