Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST IR 8011 Vol. 4

Automation Support for Security Control Assessments: Software Vulnerability Management

Date Published: April 2020

Planning Note (02/22/2023):

The NIST Risk Management Framework (RMF) team seeks feedback on our NIST IR 8011 series publications and their use.

See the Call for Feedback to learn more details about what we would like to know. Feedback can be sent to; there is no closing date.


Kelley Dempsey (NIST), Eduardo Takamura (NIST), Paul Eavy (DHS), George Moore



actual state; assessment; authorization boundary; automation; capability; Common Vulnerability and Exposure (CVE); Common Weakness Enumeration (CWE); dashboard; defect; desired state specification; dynamic code analyzer; Information Security Continuous Monitoring (ISCM); malicious code; malware; mitigation; ongoing assessment; patch management; root cause analysis; security capability; security control item; security control; software file; Software Identification (SWID) tag; software injection; software product; software vulnerability; software weakness; software; static code analyzer
Control Families

None selected


Download URL

Supplemental Material:
None available

Publication Volumes:
IR 8011 Vol. 1
IR 8011 Vol. 2
IR 8011 Vol. 3

Document History:
11/20/19: IR 8011 Vol. 4 (Draft)
04/28/20: IR 8011 Vol. 4 (Final)