3.11.2 — Scan for Vulnerabilities
What It Says
Section titled “What It Says”Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
What It Actually Means
Section titled “What It Actually Means”Two scanning triggers: periodic (defined schedule — monthly or quarterly is standard) and event-driven (when a new critical vulnerability is disclosed that affects your technology). All CUI systems must be scanned: servers, workstations, network devices, cloud services, and applications. Scans cover both infrastructure (OS, services, ports) and applications (web apps, custom software). Results are documented, triaged, and fed into remediation (3.11.3).
Pass or Fail
Section titled “Pass or Fail”Your assessor needs a “yes” to every row:
| # | Question | What “yes” looks like |
|---|---|---|
| 1 | Is the scan frequency defined? | Policy specifies scan schedule — monthly is standard |
| 2 | Are systems scanned per the schedule? | Scan results showing regular execution across all CUI systems |
| 3 | Are applications scanned per the schedule? | Application vulnerability scans or code reviews on defined schedule |
| 4 | Are systems scanned when new vulnerabilities emerge? | Ad-hoc scan records triggered by CISA KEV additions or critical CVEs |
| 5 | Are applications scanned when new vulnerabilities emerge? | Ad-hoc application scans for newly disclosed vulnerabilities |
What to Have Ready on Assessment Day
Section titled “What to Have Ready on Assessment Day”Documents they’ll review: Risk assessment policy; vulnerability scanning procedures and schedule; scan results (recent and historical); scanner configuration; system security plan; ad-hoc scan records triggered by critical CVEs
People they’ll talk to: Personnel with risk assessment and vulnerability management responsibilities; information security personnel
Live demos they’ll ask for: “Show me your most recent vulnerability scan results.” “Are all CUI systems covered — endpoints, servers, network devices, cloud?” “Show me an ad-hoc scan triggered by a critical CVE.”
The Assessor’s Playbook
Section titled “The Assessor’s Playbook”These are the actual questions. Have answers ready.
- “How often do you scan for vulnerabilities? Show me the schedule.”
- “Show me the most recent scan results.”
- “Are all CUI systems covered — including network devices and cloud?”
- “Show me an ad-hoc scan triggered by a new critical vulnerability.”
Where Companies Trip Up
Section titled “Where Companies Trip Up”No regular scanning. Only scanning before the annual assessment. Monthly is the standard.
Incomplete coverage. Workstations scanned but not network devices, cloud services, or applications. Scan everything in your CUI environment.
No ad-hoc scans. A critical CVE is published and you wait for the next monthly scan. Critical disclosures require immediate scanning.
How to Talk About This
Section titled “How to Talk About This”Connected Requirements
Section titled “Connected Requirements”| Requirement | Why it matters here |
|---|---|
| 3.11.1 — Assess Your Risks | Vulnerability data feeds the risk assessment |
| 3.11.3 — Fix What You Find | Scan results drive remediation |
| 3.14.1 — Patch Your Systems | Patching remediates the vulnerabilities identified by scanning |
Implementation (coming soon)
Section titled “Implementation (coming soon)”Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.
CMMC Practice ID: RA.L2-3.11.2 | SPRS Weight: 5 points | POA&M Eligible: No