Vulnerability scans are only useful when their results are converted into explicit, prioritized actions you can schedule, fund, and verify β and that is exactly what CA.L2-3.12.2 expects under NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2: continuous vulnerability scanning together with documented follow-up (POA&Ms) for gaps that cannot be immediately remediated.
What CA.L2-3.12.2 requires (short)
The control requires regular scanning of systems and hosted applications and an organized way to track remediation activities for identified vulnerabilities. For small businesses handling Controlled Unclassified Information (CUI), meeting this control means: run authenticated and unauthenticated scans at defined cadences, analyze and prioritize findings, and maintain Plans of Action and Milestones (POA&Ms) that document remediation timelines, owners, mitigations, and evidence of closure.
Step-by-step: turn scan results into actionable POA&Ms
1) Ingest and normalize scan output
Export scanner output in machine-readable format (CSV/JSON/XLS) from Nessus, Qualys, Rapid7, OpenVAS or Microsoft Defender for Cloud. Normalize fields so every finding contains: scanner ID, CVE/CVSS, CWE, asset identifier (IP, hostname, business owner), first-seen / last-seen dates, and evidence (screenshot/log snippet). Store these raw files in a versioned folder or a vulnerability database (e.g., VulnWhisperer -> Elasticsearch, Kenna, or a simple PostgreSQL table).
2) Triage and prioritize using risk-based criteria
Donβt rely on CVSS alone. Create a small-business risk score that combines CVSS with asset criticality (CUI exposure, internet-facing, vendor SLA) and exploitability (public exploit available?). Example risk tiers and SLA targets: Critical (CVSS 9-10 or internet-facing CUI host) β remediate within 7 days; High (7-8.9) β remediate within 30 days; Medium (4-6.9) β remediate within 90 days; Low (<4) β track for next maintenance window or accept documented risk within 180 days. Document how the score is calculated so auditors can reproduce prioritization.
3) Create a POA&M entry β fields and content
Every prioritized finding should become a POA&M entry if not immediately closed. Minimum POA&M fields (practical template): Finding ID, Description (CVE/CWE and scanner notes), Affected Asset (IP/hostname/owner), Risk Rating (Critical/High/Medium/Low), Planned Remediation (patch/upgrade/config change/compensating control), Interim Mitigations (firewall rule, disable service), Responsible Owner, Resource Requirements (tools, budget, test environment), Start Date, Target Completion Date, Milestones (test patch, schedule window, deploy), Status, Residual Risk, Verification Method (rescans, config diff), and Evidence Attachments (change ticket, patch KB, test results). Populate each field; incomplete POA&Ms are the fastest way to fail an audit.
4) Assign, schedule and integrate with workflows
Turn POA&Ms into actionable work items in your ticketing system (Jira, ServiceNow, GitHub Issues, or a simple spreadsheet for very small shops). Assign owners at the system or business-process level, not to an abstract "IT" group. Link to required resources (maintenance windows, patch packages, vendor coordination). For small businesses with limited staff, group similar low-risk fixes into monthly βhardening sprintsβ and reserve immediate change windows for critical fixes. Set automated reminders and monthly POA&M reviews with leadership.
Real-world examples for a small business
Example A β Internet-facing Windows IIS server shows CVE-2024-XXXX (CVSS 9.1) discovered during an external scan. Actionable POA&M: Owner = WebOps lead; Planned Remediation = apply Microsoft KB2024-XXXX and reboot; Interim Mitigation = add IP restriction and WAF rule; Resources = test server and patch package; Target = 3 business days; Verification = authenticated rescan showing no detection; Evidence = change ticket + post-patch scan. If patching requires code changes, include rollback plan and communicate scheduled outage to stakeholders.
Example B β Internal mail server uses TLS 1.0 (CVSS 4.3) affecting some legacy clients. Because the server handles CUI, classify as Medium-High. POA&M: Owner = SysAdmin; Planned Remediation = enable TLS1.2+, update OpenSSL and mail client configs; Interim Mitigation = restrict TLS downgrades via firewall and monitoring; Target = 45 days to accommodate client upgrades; Verification = encrypted protocol scan and client regression tests; Evidence = configuration file, test matrix, rescans.
Tools, automation and technical details
Use credentialed (authenticated) scans for accuracy β configure scanner accounts with least privilege and read-only access. Leverage automation to ingest scans into your GRC or ticketing system (APIs available for Nessus, Qualys, Rapid7). Use CVE and CWE IDs in POA&Ms and include patch KB numbers or package versions (e.g., "Apply Microsoft KB501XXXX" or "Upgrade OpenSSL to 1.1.1m"). For configuration fixes, include the exact command or config diff you applied (sample: in Apache httpd disable TLSv1 with "SSLProtocol -all +TLSv1.2 +TLSv1.3" and include prior/post config snippets). Always schedule a verification rescans (credentialed) and attach scan output to the POA&M entry.
Compliance tips, best practices and the risk of non-compliance
Best practices: run a mix of internal weekly authenticated scans and external quarterly scans; maintain a living POA&M that is reviewed monthly by the security owner and quarterly by leadership; tier CUI assets and escalate any CUI-related critical findings immediately. For auditors, provide a POA&M export, linked change tickets, before/after scan evidence, and meeting minutes from POA&M reviews. The risks of not implementing this control are severe β unresolved vulnerabilities can lead to exploitation, data exfiltration of CUI, contract loss with DoD partners, financial penalties, and reputational damage. For small businesses, a single compromise can jeopardize the entire organization and future government contracting opportunities.
Summary: Convert scan output into a repeatable POA&M workflow β normalize findings, risk-score them with CUI context, create complete POA&M entries (with owners, milestones, and evidence), integrate with ticketing for execution, and verify with rescans. This structured, auditable approach satisfies CA.L2-3.12.2 and reduces real operational risk while producing defensible artifacts for assessments.
