Skip to content

RA.L2-3.11.2 Vulnerability Scan

Risk Assessment 2 of 3 in family

Scan for Vulnerabilities.

Regular vulnerability scans plus ad-hoc scans when new critical vulnerabilities are disclosed.

The one-liner

If you're not scanning regularly, you're waiting to be surprised by an attacker who is.

Practice names: DoD CIO CMMC Model Overview v2.0 (CC BY 4.0).

3.11.2 — Scan for Vulnerabilities

Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.

Two scanning triggers: periodic (defined schedule — monthly or quarterly is standard) and event-driven (when a new critical vulnerability is disclosed that affects your technology). All CUI systems must be scanned: servers, workstations, network devices, cloud services, and applications — and the targets teams routinely forget, networked printers, scanners, and copiers, which run firmware and sit on the network like any other host. Devices that don’t routinely connect — laptops that travel or stay remote — still have to be scanned; schedule them in rather than letting them slip through the gaps. Scans cover both infrastructure (OS, services, ports) and applications (web apps, custom software). Run them authenticated (credentialed) wherever you can — an unauthenticated scan sees only what’s exposed on the network, while a credentialed scan logs in to enumerate installed software and missing patches that unauthenticated scanning systematically under-reports; expect the assessor to ask which mode your scans run in. Custom-developed software needs more than an automated network scan: scan the source code before deployment and use penetration testing to confirm which findings are real. Verify that the scanner refreshes its vulnerability database at the start of every scan — stale plugins produce stale results, which is exactly what the assessment objectives check. Schedule scans with operational impact in mind, taking extra care around critical or fragile assets. Results are documented, triaged, and fed into remediation (3.11.3).


Your assessor needs a “yes” to every row:

#QuestionWhat “yes” looks like
1Is the scan frequency defined?Policy specifies scan schedule — monthly is standard
2Are systems scanned per the schedule?Scan results showing regular execution across all CUI systems
3Are applications scanned per the schedule?Application vulnerability scans or code reviews on defined schedule
4Are systems scanned when new vulnerabilities emerge?Ad-hoc scan records triggered by CISA KEV additions or critical CVEs
5Are applications scanned when new vulnerabilities emerge?Ad-hoc application scans for newly disclosed vulnerabilities

Documents they’ll review: Risk assessment policy; vulnerability scanning procedures and schedule; scan results (recent and historical); scanner configuration; system security plan; ad-hoc scan records triggered by critical CVEs

People they’ll talk to: Personnel with risk assessment and vulnerability management responsibilities; information security personnel

Live demos they’ll ask for: “Show me your most recent vulnerability scan results.” “Are all CUI systems covered — endpoints, servers, network devices, cloud?” “Show me an ad-hoc scan triggered by a critical CVE.”


These are the actual questions. Have answers ready.

  • “How often do you scan for vulnerabilities? Show me the schedule.”
  • “Show me the most recent scan results.”
  • “Are all CUI systems covered — including network devices and cloud?”
  • “Show me an ad-hoc scan triggered by a new critical vulnerability.”

No regular scanning. Only scanning before the annual assessment. Monthly is the standard.

Incomplete coverage. Workstations scanned but not network devices, cloud services, applications, or the networked printers, scanners, and copiers quietly running outdated firmware. Scan everything in your CUI environment.

No ad-hoc scans. A critical CVE is published and you wait for the next monthly scan. Critical disclosures require immediate scanning.



RequirementWhy it matters here
3.11.1 — Assess Your RisksVulnerability data feeds the risk assessment
3.11.3 — Fix What You FindScan results drive remediation
3.14.1 — Patch Your SystemsPatching remediates the vulnerabilities identified by scanning