This post explains how to implement NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control RA.L2-3.11.2—"scan for vulnerabilities periodically and when new vulnerabilities are identified"—by showing a practical, auditable approach to prioritizing scan findings and integrating them with patch management in a small-business environment.
What RA.L2-3.11.2 requires and the key objectives
RA.L2-3.11.2 requires organizations to scan systems and applications on a recurring basis and in response to new vulnerability disclosures, then act on those findings. The key objectives are: (1) maintain an accurate, prioritized view of vulnerabilities across your environment; (2) remediate or mitigate in a timeframe matched to risk; and (3) produce evidence (scan results, tickets, change records) that remediation occurred. Your implementation must be repeatable, risk-based, and demonstrable to an assessor.
Practical implementation: inventory, scan cadence, and tooling
Start with a complete asset inventory (CMDB) that identifies internet-facing systems, assets storing or processing CUI, critical servers, and user endpoints. Baseline scanning cadence: weekly for internet-facing and externally-exposed apps; monthly for internal infrastructure; and immediate scans (or targeted checks) when a new CVE or vendor advisory affects your environment. Recommended tooling: commercial scanners (Tenable/Nessus, Qualys, Rapid7) or open-source (OpenVAS) for vulnerability discovery; a centralized patch-management platform such as WSUS/MECM, Microsoft Intune, Jamf, PDQ Deploy, or configuration management tools (Ansible/Chef) for remediation. Integrate scanners with your ticketing/ITSM system (ServiceNow, Jira) so each high-priority finding becomes an actionable incident with SLA dates and owner assignment.
Asset criticality, scoring rules, and a prioritization matrix
Use a multi-factor prioritization matrix that combines CVSS base score, exploitability metrics (EPSS, public exploit availability), asset criticality (CUI exposure, business function), and compensating controls (network segmentation, WAF). Example thresholds for a small business: treat CVSS >= 9.0 or CVE with known exploits on internet-facing assets as P1 (remediate within 7 calendar days); CVSS 7.0–8.9 on critical/CUI systems as P2 (15 calendar days); CVSS 4.0–6.9 as P3 (30–60 days); CVSS < 4.0 as P4 (90 days or scheduled maintenance). Use additional flags: "Exploit observed in the wild" (auto-elevate severity), "Vendor provided hotfix" (raise priority), or "End-of-Life software" (treat as critical until mitigated).
Integrating patch management and automating remediation
Design workflows that flow from discovery to remediation to verification: scanner discovery → automatic ticket creation with mapped priority → patch deployment in a staged rollout → post-patch verification scan → ticket closure with evidence. Example automations: Tenable/Qualys connectors that push findings into ServiceNow and map CVSS/EPSS to priority fields; Intune or WSUS to push Windows updates to a pilot group first, then to the fleet; Ansible playbook to apt/yum update Linux servers (e.g., ansible -i hosts -m shell -a "apt-get update && apt-get install -y package" --become). Always include a test window (pilot 5–10% of endpoints), rollback procedure (retention of previous image or package), and scheduled reboots. Document emergency patch procedure for critical zero-day mitigations where normal change-control timelines are accelerated and approval is retained in logs.
Real-world small business scenario
Example: a 50-person software company with 2 internet-facing web servers, a database server that stores CUI, and 40 developer laptops. A weekly authenticated scan reports: (A) RCE CVE-XXXX-2026 on internet web server (CVSS 9.8, exploit on GitHub), (B) outdated library on developer laptops (CVSS 5.0, no known exploit), and (C) missing DB engine patch (CVSS 8.1, vendor provided patch). Prioritization: push a P1 ticket for (A) with an immediate staged patch to the web servers and a web application firewall rule as temporary mitigation; P1 for (C) with database maintenance window within 7 days (coordinate backup and rollback plan); schedule (B) as P3 and include in the next monthly laptop patch cycle. Evidence: saved scan report showing the CVE, ServiceNow incident numbers, change control ticket approving maintenance window, and post-patch scan showing remediation—this sequence maps directly to proof an assessor will want to see.
Compliance evidence, exceptions, and risk of non-implementation
Maintain artifact trails: scan results with timestamps, ticketing records that include priority and owner, change records showing deployment steps and approvals, and post-remediation verification scans. For exceptions, document the risk acceptance with business justification, compensating controls (isolation, monitoring), expiration of the exception, and a remediation plan. Risks of not implementing RA.L2-3.11.2 include uncontrolled CUI exposure, successful exploitation leading to data breaches, loss of DoD contracts, penalties, or failed CMMC/NIST assessments. In practical terms, unpatched internet-facing vulnerabilities are the most common initial access vector attackers use to compromise small businesses.
Compliance tips and best practices
Operationalize these practices: (1) tie vulnerability scanning to your change control and asset inventory so every finding has an owner; (2) automate ticket creation and priority mapping using CVSS + exploitability scores; (3) maintain a documented SLA for remediation windows and exceptions; (4) use staged deployments and rollback plans to reduce downtime and risk; (5) run authenticated scans where possible (credentialed scans) for accuracy; (6) keep firmware and third-party software in scope (network devices, printers, ICS); (7) validate fixes with post-patch scans and retain exports in CSV/PDF for auditors; and (8) incorporate threat intelligence (vendor advisories, NVD, MITRE, EPSS) to adjust priorities dynamically.
Summary: To meet RA.L2-3.11.2 you must combine regular and event-driven scanning with a risk-based prioritization process and a tightly integrated patch-management workflow that is automated, auditable, and demonstrably enforced. For small businesses this means keeping an accurate asset inventory, mapping CVSS and exploit data to business impact, using automation to convert discoveries into tickets and patches, documenting exceptions, and maintaining traceable evidence of remediation—so you can both reduce real risk and clearly show compliance during assessment.
