PCI ASV 3.0 Program Guide - "Special Notes"
Barring any urgent vulnerability checks that may be released prior, as of June 19, 2017, Coalfire's ASV process will be aligning with PCI DSS v3.2 and other PCI DSS program documents. Applicable "Special Notes" are now required to be filled in before being issued a passing scan report.
Prior to the release date, process and help documentation surrounding Special Note will be available to all customers by clicking here.
What are “Special Notes”?
Special Notes are to be used to disclose the presence of certain software or configuration that may pose a risk to the scan customer’s environment due to insecure implementation rather than an exploitable vulnerability. Scan customers must include the following information within their special notes:
- Declared business need for the software
- Scan customer's description of action taken and declaration that software is either implemented securely or removed
What does this mean for scan customers?
Coalfire ASVs must ensure that an applicable and relevant scan customer declaration is provided for each Special Note before issuing a passing scan report. Within CoalfireOne, customers will see varying messages depending on the results from their scan:
- When the ASV scan has at least one incomplete special host, the customer will see the following language in the UI:
- “Remediate and/or dispute all failing vulnerabilities and complete all special hosts. Coalfire will not be notified this scan is ready for review until all Special Notes are complete and zero failing vulnerabilities exist. Per the ASV 3.0 requirements regarding special hosts: "The ASV must declare a report as FAILED until all applicable scan customer declarations have been obtained and reviewed by the ASV.".
- When the customer remediates/disputes all failing vulnerabilities and completes all Special Notes, the customer will see the following in the UI:
- "Coalfire is currently reviewing Special Notes. If Coalfire needs further clarity on a Special Note, a scan analyst will contact you via email. If all Special Notes are satisfactory, Coalfire will move this scan into a passing state."
- When the scan is “Complete/PASS”
- You will see the scan in a pass state when all failing vulnerabilities have been remediated/disputed and all completed Special Notes have been approved by Coalfire.
If you have any questions regarding the new Special Notes process please feel free to contact firstname.lastname@example.org or review the ASV Program Guide v3.0 by clicking here
Have a question about CoalfireOne?
The ScanDesk is ready to help. M-F: 6 AM-6 PM MT
650-597-4510 | email@example.com
<< Go Back