U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.


Secure websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to our website. Please do not share sensitive information with us.

This is an archive
(replace .gov by .rip)

NISTIR 8011 Vol. 4

Automation Support for Security Control Assessments: Software Vulnerability Management

Date Published: April 2020


Kelley Dempsey (NIST), Eduardo Takamura (NIST), Paul Eavy (DHS), George Moore



actual state; assessment; authorization boundary; automation; capability; Common Vulnerability and Exposure (CVE); Common Weakness Enumeration (CWE); dashboard; defect; desired state specification; dynamic code analyzer; Information Security Continuous Monitoring (ISCM); malicious code; malware; mitigation; ongoing assessment; patch management; root cause analysis; security capability; security control item; security control; software file; Software Identification (SWID) tag; software injection; software product; software vulnerability; software weakness; software; static code analyzer
Control Families

None selected


NISTIR 8011 Vol. 4 (DOI)
Local Download

Supplemental Material:
None available

Other Parts of this Publication:
NISTIR 8011 Vol. 1
NISTIR 8011 Vol. 2
NISTIR 8011 Vol. 3

Document History:
11/20/19: NISTIR 8011 Vol. 4 (Draft)
04/28/20: NISTIR 8011 Vol. 4 (Final)