U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

NISTIR 8011 Vol. 4

Automation Support for Security Control Assessments: Software Vulnerability Management

Date Published: April 2020


Kelley Dempsey (NIST), Eduardo Takamura (NIST), Paul Eavy (DHS), George Moore



actual state; assessment; authorization boundary; automation; capability; Common Vulnerability and Exposure (CVE); Common Weakness Enumeration (CWE); dashboard; defect; desired state specification; dynamic code analyzer; Information Security Continuous Monitoring (ISCM); malicious code; malware; mitigation; ongoing assessment; patch management; root cause analysis; security capability; security control item; security control; software file; Software Identification (SWID) tag; software injection; software product; software vulnerability; software weakness; software; static code analyzer
Control Families

None selected


NISTIR 8011 Vol. 4 (DOI)
Local Download

Supplemental Material:
None available

Other Parts of this Publication:
NISTIR 8011 Vol. 1
NISTIR 8011 Vol. 2
NISTIR 8011 Vol. 3

Document History:
11/20/19: NISTIR 8011 Vol. 4 (Draft)
04/28/20: NISTIR 8011 Vol. 4 (Final)