Meeting NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control RA.L2-3.11.2 requires implementing both periodic (scheduled) and triggered vulnerability scanning across your environment — servers, desktops, laptops, VMs, containers, firewalls, switches, and printers — and this post gives a pragmatic, step-by-step Nessus-focused approach to do that in a small-business environment while documenting evidence for auditors.
What RA.L2-3.11.2 requires and how to scope your program
RA.L2-3.11.2 expects organizations to scan for vulnerabilities at an organizationally-defined frequency and whenever significant changes occur. For a small business, define a documented scanning cadence (for example: internal credentialed scans weekly, external unauthenticated scans monthly, and full credentialed network scans monthly) and a list of change triggers (new asset on-boarding, post-patch windows, build completions, cloud instance provisioning, infrastructure changes, and detected incidents). Maintain an asset inventory (hostname, IP, owner, criticality, CUI presence) and map assets to scan types so auditors can see scope and frequency aligned to the control.
Step-by-step: Installing and configuring Nessus for compliance
Install Nessus and create your scanner architecture
For small teams use Nessus Professional for internal scanning or Nessus Manager/Tenable.sc for central management. Installation notes: on Linux download the appropriate .rpm/.deb from Tenable, install via dpkg -i or rpm -i, enable and start the nessusd service, and complete the initial web-based setup on port 8834. For distributed environments use Nessus Agents on endpoints that are frequently offline (laptops, remote desktops), and deploy a Nessus scanner inside each major network segment or cloud VPC to avoid firewall issues. Ensure the scanner host has SSH/SNMP/API access to target subnets and that firewall rules allow scanning traffic from the scanner's IPs.
Hardening scanner and connecting to compliance workflows
Harden Nessus by restricting access to the web UI to the SOC/admin workstation IP range, enable TLS, rotate credentials, and store scan reports in a SIEM or secure file server with retention policy (evidence for auditors). Integrate with your ticketing system (ServiceNow, Jira) via webhook or the Tenable API so that scan findings automatically generate remediation tickets tagged with asset owner and SLA. Document scanner policies, scheduling, and retention procedures in a written scanning program aligned to "Compliance Framework" so you can show auditors the process that implements RA.L2-3.11.2.
Creating scan policies per asset type (technical specifics)
Servers, desktops, laptops, and VMs (credentialed)
Create credentialed policies: for Windows use SMB/WMI credentials (domain or local admin) and enable Windows patches and registry checks; for Linux use SSH with a user that has sudo or root access and enable package manager checks. In Nessus policy settings: enable "authenticated checks", include relevant plugins (CVE, compliance, local security checks), set port scanning to the required range (1-65535 for full host assessment), and enable safe checks for production servers or schedule maintenance windows. Use Nessus Agents for remote/mobile endpoints to perform incremental scans and push results to the manager — this reduces network load and captures devices that are off-network during scheduled network scans.
Containers and cloud VMs
For containers, scan images during CI/CD (use container image scanning plugins or integrate Tenable.io Container Security if available) and run network host-level scans on container hosts and orchestration APIs (Docker, Kubernetes API endpoints) with appropriate credentials or API tokens. For cloud VMs use cloud connectors (AWS, Azure) when possible so you can enumerate instances and apply tags to schedule scans; ensure credentials used have read-only scope to list instances and limited permissions to avoid privilege escalation risk.
Firewalls, switches, and printers (network-device focused)
Network devices often require SNMP v2/v3 or vendor-specific credentials. In Nessus create a policy that uses SNMP community strings or SNMPv3 credentials to perform configuration and firmware checks, enable device-specific plugins (Cisco, Juniper, Fortinet), and use safe checks to avoid disruptive tests on critical network gear. For printers and IoT-like devices that don't support credentials, perform authenticated scans where possible or run non-credentialed network scans with tuned plugin sets to reduce false positives; document limitations in your compliance evidence.
Scheduling periodic scans and configuring triggered scans
Define a schedule that balances coverage and risk: small businesses might run weekly agent-based credentialed scans (endpoints), monthly full-credentialed network scans (servers, network devices), and quarterly external-facing scans. Configure triggered scans in Nessus using APIs or automation: trigger a scan after a CI/CD image build, after a patch window, or via a webhook from your change management system when a new device is onboarded. Example workflow: IT completes a change ticket to add a new server → ticket system sends webhook to Nessus API to run an immediate full credentialed scan → results generate a remediation ticket if critical findings exist. Keep a log of triggers tied to change tickets and store snapshots of pre/post-scan reports as audit evidence.
Remediation workflows, prioritization, and evidence collection
Define SLAs by severity (e.g., remediate critical within 7 days, high within 30 days) and prioritize by exploitability (use CVSS + vendor exploitability metadata). Use Nessus dashboards and filters to export CSVs or PDF reports grouped by asset owner and severity. Integrate with your ticketing to automatically populate tickets with the plugin ID, CVE, recommended remediation steps, and proof (scan output lines). Maintain a remediation log that includes dates of discovery, tickets, remediation actions, and verification scans — this is critical evidence for auditors that the organization meets RA.L2-3.11.2.
Risk of non-implementation and compliance tips
Not implementing periodic and triggered scans leaves CUI and business systems exposed to known exploits, increases the chance of breach and lateral movement, and will lead to non-compliance findings that can cost contracts, reputation, and incur remediation costs. Compliance tips: always use credentialed scans where possible to reduce false positives, document accepted risk and compensating controls for devices you cannot scan, keep scan policies and frequency documented in your System Security Plan (SSP), and retain reports for the timeframe required by your contract (commonly 1–3 years). For small businesses with limited staff, use agents, automation, and targeted scanning windows to get maximum coverage with minimal overhead.
Summary
Implementing RA.L2-3.11.2 with Nessus involves defining a documented scan cadence and triggers, installing and hardening scanners and agents, creating credentialed and device-specific scan policies, automating triggered scans via change management or CI/CD, integrating findings into a remediation workflow, and retaining evidence for auditors; following the steps above will help small businesses achieve the balance between operational practicality and the compliance rigor required for NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2.
