Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - RA.L2-3.11.2 – Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Solutions like Nessus can be used to meet this requirement. Ensure that you scan for vulnerabilities on all devices connected to the network including servers, desktops, laptops, virtual machines, containers, firewalls, switches, and printers
Understanding the Requirement
This control, part of NIST SP 800-171 REV.2 / CMMC 2.0 Level 2, requires organizations to run vulnerability scans on systems and applications on a defined cadence and whenever new vulnerabilities are discovered that could affect those assets. It covers all assets in scope — from servers and virtual machines to laptops, containers, network devices, and even printers — and expects scans to be documented, prioritized, and acted upon so that identified risks are mitigated in a timely way.
Technical Implementation
- Maintain a complete asset inventory: Start with a living inventory that lists all devices and applications in scope (servers, desktops, laptops, VMs, containers, firewalls, switches, printers). Tag assets by criticality and connectivity (internal/external) so you can prioritize scans and remediation.
- Choose and configure a scanner: Deploy a commercial or open-source vulnerability scanner (e.g., Nessus, OpenVAS) and configure it for both authenticated and unauthenticated scans. Use credentials for servers and key applications to get accurate findings and reduce false positives.
- Define scan cadence and policies: Document scanning frequency in your policy (example: internal scans bi-weekly, external-facing hosts weekly, high-risk assets daily or on change). Include rules to trigger an immediate scan when a new CVE or vendor bulletin affects your environment or when new assets are added.
- Update signatures and plugins before each scan: Automate scanner updates so the signature/plugin database is current before each scheduled run. Record the scanner version and plugin date in scan reports for auditability.
- Integrate with patch and ticketing workflows: Feed high/critical findings into your patch management and ticketing system with agreed SLAs (e.g., critical = 7 days, high = 30 days). Assign owners, track remediation steps, and verify fixes with follow-up scans.
- Scan non-routable and transient assets: Use agent-based scanners or scheduled endpoint scans for laptops and devices that don’t always connect to the corporate network. For containers and cloud VMs, incorporate scanning into CI/CD pipelines and cloud-native scanning tools to catch issues before production.
- Document and retain results: Keep scan reports, remediation logs, and exception approvals for the retention period required by your compliance program. Produce executive summaries that highlight risk reduction and remediation status for leadership reviews.
Example in a Small or Medium Business
A 60-person engineering firm purchases a commercial vulnerability scanner and assigns the IT lead to manage it. They build an inventory listing all servers, 45 employee laptops, several network switches, two firewalls, and a handful of networked printers and lab VMs. The scanner is configured for authenticated internal scans every two weeks, external scans weekly, and agent-based scans for laptops when they check in. The IT lead sets alerts so that when a new vendor advisory or CVE mentions software used by the firm, an immediate targeted scan runs against affected hosts. Scan results automatically create tickets in the firm's helpdesk with severity-based SLAs; critical findings open a high-priority ticket assigned to the server admin and trigger a follow-up scan after remediation. For containerized builds, the dev team adds a scan step to the CI pipeline so images are checked before deployment. The firm documents all scans, tool versions, and remediation evidence in a shared compliance folder to support review and audit readiness.
Summary
Meeting RA.L2-3.11.2 requires a combination of policy (defined scan frequency, triggers for ad-hoc scans, asset coverage, and SLAs) and technical controls (a properly configured vulnerability scanner, authenticated checks, agent coverage, signature updates, and integration with patching/ticketing). For SMBs, pragmatic choices—complete inventory, sensible cadence, automated updates, and clear remediation workflows—deliver measurable reduction in exposure and provide the documentation needed for compliance and audit confidence.
