CMMC 2.0 Level 2 control RA.L2-3.11.3 implements the obligation to scan organizational systems and hosted applications for vulnerabilities and to act on identified flaws in a risk-informed way; this post shows how to structure a repeatable, auditable vulnerability triage process using risk scores so small and mid-sized companies can demonstrate compliance with NIST SP 800-171 Rev.2.
What RA.L2-3.11.3 requires and the compliance objective
The control expects organizations handling Controlled Unclassified Information (CUI) to (1) perform periodic vulnerability scanning and (2) react to newly identified vulnerabilities. For CMMC/DFARS audits you must show an established process, evidence of scans (authenticated where possible), an inventory mapped to CUI impact, documented triage decisions, and tracking of remediation or accepted residual risk (POA&M entries). The objective is to reduce the attack surface and ensure CUI confidentiality, integrity, and availability are preserved.
Implementing a risk-based vulnerability triage process
Design a workflow with these phases: discovery (asset inventory + scan), enrichment (contextual data), scoring (risk score calculation), assignment (owner + SLA), remediation (fix/mitigation/testing), and verification (rescan + evidence). Use automated scanners (Tenable Nessus, Qualys, Rapid7, OpenVAS) configured for authenticated scans on internal hosts. Integrate scan results into a ticketing system (Jira/ServiceNow) and a CMDB so every finding ties back to asset criticality and CUI hosting status in your SSP.
Risk scoring formula β practical and auditable
A simple, auditable risk score for CMMC can combine CVSSv3.1 Base Score, asset criticality, exposure, and exploitability signals: RiskScore = round( (CVSS_Base/10 * 0.5) + (AssetCriticality/10 * 0.25) + (ExposureFactor * 0.15) + (ExploitabilityFactor * 0.10) , 2 ) where AssetCriticality is 1β10 (CUI host = 9β10), ExposureFactor = 1 for internet-facing, 0.5 for DMZ, 0.1 for internal-only, and ExploitabilityFactor uses EPSS/Proof-of-Concept presence (0.0β1.0). Example: CVSS 7.8 on an internet-facing CUI web server with EPSS 0.4 and criticality 9 -> RiskScore β (7.8/10*0.5=0.39)+(9/10*0.25=0.225)+(1*0.15=0.15)+(0.4*0.10=0.04)=0.805 -> scale to percent 80.5% -> High/Critical action.
Operational triage and SLAs for small businesses
Define clear SLA windows mapped to risk bands so auditors see consistent prioritization: Critical (RiskScore β₯ 80): remediate within 7 calendar days or implement compensating controls and update POA&M; High (60β79): remediate within 30 days; Medium (40β59): remediate within 90 days; Low (<40): deferred or scheduled in standard maintenance cycle with documented acceptance. For a small company with limited staff, use an MSSP or cloud native tools (AWS Inspector, Azure Security Center) to meet scanning cadence and triage SLAs.
Real-world small-business scenarios
Scenario A β Internet-facing web app exposing CUI: Scan returns CVE with CVSS 8.2 and confirmed public exploit (EPSS high). Using the risk formula and CUI hosting flag, the finding scores Critical; immediate mitigation options include a hotfix patch (preferred), temporary WAF rule or IP restriction, and a change-control ticket showing emergency patch deployment. Scenario B β Internal file server with outdated SMB prototype flagged CVSS 5.3 but internal-only and low business criticality: score Medium; schedule patching in the next 30β60 day maintenance window and document compensating controls (segmentation, limited privileged access) and POA&M entry if not immediately remediated.
Technical details and evidence for auditors
Produce the following artifacts for CMMC assessors: authenticated scan reports (timestamped), scanned asset list mapped to SSP and CUI-bearing systems, risk-score calculation spreadsheets or automated dashboards, remediation tickets with owner and dates, POA&Ms for exceptions, and rescan evidence showing closure. Configure scanners to output standardized formats (CSV/XML) and retain logs for the required retention period. Use CVSS v3.1 base scores plus EPSS/Exploit DB checks and document any environmental metric adjustments (e.g., raised impact for CUI confidentiality).
Compliance tips, best practices, and risks of non-implementation
Best practices: perform at least monthly authenticated internal scans and weekly external scans for internet-facing assets; correlate vulnerability feeds with threat intelligence (OTX, CISA KEV) to flag KEV-listed CVEs; automate ticket creation and status updates; maintain a living asset inventory and map CUI storage/processing locations. Risks of not implementing: exploitable vulnerabilities leading to CUI exfiltration, contract loss, DFARS/CMMC penalties, and failing an assessment. Additionally, lacking documented triage and POA&Ms is a common audit failure point.
In summary, RA.L2-3.11.3 compliance is achievable for small organizations by building a repeatable, documented vulnerability scanning and triage process that combines CVSS, asset criticality, exposure, and exploitability signals into an auditable risk scoreβbacked by SLAs, ticketing evidence, rescans, and POA&Ms; implement authenticated scans, map findings to CUI-bearing assets, and use compensating controls when immediate remediation is not feasible to both reduce risk and demonstrate compliance.
