History

Priority

recommended

2015

Agencies should conduct vulnerability assessments on systems:• before the system is deployed, this includes conducting assessments during the systemdesign and development stages• after a significant change to the system• after significant changes to the threats or risks faced by a system, for example, a softwarevendor announces a critical vulnerability in a product used by the agency• at least annually, or as specified by an ITSM or the system owner.

2010

It is recommended agencies conduct vulnerability assessments on systems:• before the system is first used• after a significant change to the system• as specified by an ITSM or the system owner.