ID.RA-01 Vulnerability Identification - NIST CSF 2.0 Checklist

ID.RA-01 requires organizations to vulnerabilities in assets are identified, validated and recorded. This NIST CSF 2.0 control falls under the Identify (ID) function and the Risk Assessment category. Use this checklist to verify implementation and prepare evidence for auditors.

Control Details

Control ID: ID.RA-01
Title: Vulnerability Identification
Function: Identify (ID)
Category: Risk Assessment
Framework: NIST CSF 2.0

Vulnerabilities in assets are identified, validated and recorded.

Vulnerabilities in assets are identified, validated and recorded. The organization uses vulnerability scanning, penetration testing and threat intelligence to discover weaknesses before adversaries exploit them.

Why This Matters

Unidentified vulnerabilities are the primary enabler of cyberattacks. Regular vulnerability identification reduces the attack surface and provides the foundation for risk-based remediation decisions.

Implementation Checklist

Use this checklist to verify your organization meets the requirements of ID.RA-01.

Conduct authenticated vulnerability scans across all network segments at least monthly
Perform annual penetration testing of critical systems and applications
Subscribe to vulnerability intelligence feeds relevant to your technology stack
Validate scan findings to eliminate false positives
Record all confirmed vulnerabilities in a centralized tracking system
Prioritize vulnerabilities based on exploitability and asset criticality

Evidence an Auditor Expects

Prepare the following documentation and artifacts to demonstrate compliance with ID.RA-01 during an audit.

Vulnerability scan reports with dates and scope documentation
Penetration testing reports from qualified assessors
Vulnerability tracking system or register exports
Evidence of vulnerability intelligence feed subscriptions
Remediation priority assignments with rationale

Common Gaps We Find

Based on our penetration testing and risk assessment engagements, these are the gaps organizations most frequently have with ID.RA-01.

Vulnerability scans run unauthenticated and miss credentialed checks
Penetration testing has not been performed in over 12 months
Vulnerability tracking relies on scan tool dashboards with no centralized remediation tracking

FAQ

What does ID.RA-01 require?

ID.RA-01 (Vulnerability Identification) requires that vulnerabilities in assets are identified, validated and recorded. The organization uses vulnerability scanning, penetration testing and threat intelligence to discover weaknesses before adversaries exploit them. This control is part of the NIST CSF 2.0 Identify function under the Risk Assessment category.

How do I prove compliance with ID.RA-01?

To demonstrate compliance with ID.RA-01, prepare the following evidence: Vulnerability scan reports with dates and scope documentation; Penetration testing reports from qualified assessors; Vulnerability tracking system or register exports. Auditors will verify that these artifacts exist and reflect current operational practices.

Need Help Meeting NIST CSF 2.0 Requirements?

Our penetration testing and risk assessments map directly to NIST CSF 2.0 controls. Sherlock Forensics identifies gaps in your compliance posture and provides actionable remediation guidance.

Get a Compliance Assessment