The organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited.
RA-5 (8) Requirements: This enhancement is required for all high vulnerability scan findings.
Guidance: While scanning tools may label findings as high or critical, the intent of the control is based around NIST's definition of high vulnerability.