NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION

SA-15(7)Automated Vulnerability Analysis

Require the developer of the system, system component, or system service {{ insert: param, sa-15.07_odp.01 }} to: Perform an automated vulnerability analysis using {{ insert: param, sa-15.07_odp.02 }}; Determine the exploitation potential for discovered vulnerabilities; Determine potential risk mitigations for delivered vulnerabilities; and Deliver the outputs of the tools and results of the analysis to {{ insert: param, sa-15.07_odp.03 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Automated tools can be more effective at analyzing exploitable weaknesses or deficiencies in large and complex systems, prioritizing vulnerabilities by severity, and providing recommendations for risk mitigations.

Practitioner Notes

Use automated tools to continuously analyze code for vulnerabilities rather than relying solely on periodic manual reviews. Automation catches common issues consistently and at scale.

Example 1: Integrate automated vulnerability scanning into every stage of your pipeline: pre-commit hooks check for secrets, pull request checks run SAST analysis, build pipelines scan dependencies, and deployment pipelines run DAST. Each stage catches different types of issues automatically.

Example 2: Use GitHub Advanced Security or GitLab Ultimate with built-in SAST, secret detection, and dependency scanning. Configure these tools to run on every commit and create automatic security alerts. Review and triage findings daily rather than waiting for periodic scan reports.

More System and Services Acquisition Controls

SA-1 Policy and Procedures SA-2 Allocation of Resources SA-3 System Development Life Cycle SA-3(1) Manage Preproduction Environment