NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control RA.L2-3.11.2 requires organizations to perform periodic vulnerability scans across all network-connected devices; that mandate can be operationalized with a repeatable program that discovers assets, runs both authenticated and unauthenticated scans, integrates with patching and ticketing, and produces audit-ready evidence β this post lays out a practical end-to-end approach for small businesses and compliance teams seeking to meet that requirement.
1) Start with a complete asset inventory and clear scope
Compliance begins with knowing what you own. Use Active Directory, DHCP leases, cloud asset APIs (AWS, Azure), network discovery (Nmap), and your CMDB to build a canonical inventory that lists device type (server, desktop, laptop, VM, container host, firewall, switch, printer), owner, OS/version, network location, and whether the device stores or processes CUI. For small businesses, a simple spreadsheet or lightweight CMDB (e.g., Ralph, iTop, Snipe-IT) is acceptable as long as itβs kept current and reconciled monthly against network discovery results.
2) Define scanning methodology: agent vs agentless, credentialed vs non-credentialed
Decide which scanning approach fits each asset class. For servers, VMs, and desktops, use credentialed (authenticated) scans whenever possible: enable SSH keys for Linux or a dedicated domain service account with limited privileges for Windows WMI/WinRM scans so the scanner can enumerate installed packages, missing patches, config issues, and registry risks. For network devices (firewalls, switches, printers) leverage SNMPv3 and vendor APIs; many vulnerabilities are only visible via SNMP or API queries or by parsing firmware versions. Containers require image-scanning (Trivy, Anchore, Clair) in CI/CD plus runtime scanning of hosts and orchestration layers (Kubernetes) because host-level misconfigurations and kernel vulnerabilities are also in-scope.
3) Tooling choices and configuration specifics
Select tools that map to your environment and budget. Open-source options: GVM/OpenVAS for general scanning, Trivy/Clair for container images. Commercial: Tenable Nessus/IO, Qualys, Rapid7 that offer credentialed scans, asset discovery, web app scanning, and integration hooks. Configure scanners to: use SSH keys and service accounts for authenticated scans, limit scan concurrency to avoid DoS on critical systems, exclude known maintenance windows, and import vulnerability feeds (NVD, vendor advisories). For cloud assets, enable AWS Inspector and Azure Defender to supplement network scans and cover ephemeral resources (auto-scaling groups, serverless).
4) Scanning cadence, prioritization, and SLAs
RA.L2-3.11.2 requires periodic scanning but doesnβt prescribe exact frequencies; design a risk-based cadence. Example small-business schedule: external-facing systems and internet-facing services β weekly; critical servers and CUI-handling endpoints β weekly or biweekly; internal desktops and office printers β monthly; low-risk lab or demo systems β quarterly. Map remediation SLAs by severity (recommended baseline): Critical: 7 days; High: 30 days; Medium: 90 days; Low: tracked for patch windows. Document your rationale in policy and ensure exception and risk-acceptance processes are in place when fixes cannot be applied quickly (including compensating controls like additional segmentation or monitoring).
5) Integrate with patch management, ticketing, and CI/CD
Automate the workflow: scanner -> VM/host metadata -> ticketing system (Jira, ServiceNow) with prefilled fields (asset owner, CVE, CVSS, remediation steps). Integrate scanner outputs into your patch management process (WSUS/SCCM for Windows, apt/yum for Linux, vendor firmware update procedures for appliances). For containers, tie image scanning into CI pipelines: fail builds on high/critical CVEs or produce automatic tickets for developers. This reduces manual effort and provides auditable trails for compliance reviews.
6) Special handling: network appliances, printers, and unmanaged devices
Network appliances and printers are common blind spots. Use SNMPv3 and vendor management APIs to detect firmware levels and configuration vulnerabilities; maintain a separate runbook for vendor firmware updates (firewalls and switches often need scheduled maintenance windows). For unmanaged or IoT devices, place them on segmented VLANs with ACLs and use periodic non-credentialed scans plus passive monitoring (network IDS/flow analysis) to detect anomalous behavior and compensate for limited patchability.
7) Reporting, metrics, and audit evidence
Create a compliance dashboard that shows: scan coverage percentage (assets scanned / total inventory), time since last scan per asset, open vulnerabilities by severity, mean time to remediate by severity, and exception records. Export and retain scan reports, ticket history, and executive summaries for auditors. For CMMC and NIST assessments, produce artifacts that show recurring scans, remediation tickets, and meetings where risk acceptance decisions were made.
8) Risks of not implementing periodic vulnerability scanning
Failure to implement RA.L2-3.11.2-style scanning leaves blind spots that attackers exploit for initial compromise and lateral movement. Unpatched CVEs on servers or firmware flaws on network devices can lead to data exfiltration, ransomware, or loss of Controlled Unclassified Information (CUI). From a compliance perspective, missing scans or remediation evidence can result in failed assessments, loss of DoD contracts, and reputational and financial damage.
9) Compliance tips and best practices
Maintain a written vulnerability management policy that references RA.L2-3.11.2, document your scan schedule and rationale, and keep a continuous improvement loop: tune scanners to reduce false positives, validate remediation with follow-up scans, and run tabletop exercises simulating discovery-to-remediation workflows. For small businesses, start small (critical assets first), automate ticket creation, and gradually expand coverage. Keep scanner credentials in a secrets store (Vault, AWS Secrets Manager) and rotate keys on a schedule to maintain least privilege.
Summary: Meet RA.L2-3.11.2 by building an asset-backed, risk-prioritized scanning program that uses authenticated scans where possible, integrates with patching and ticketing, covers special device classes (containers, network appliances, printers), documents remediation SLAs and exceptions, and produces audit-ready metrics β doing so not only supports compliance with NIST SP 800-171 / CMMC Level 2 but materially reduces your attack surface and exposure to breaches.
