Vulnerability

A vulnerability is a weakness in a system, software, process, or configuration that could be exploited by a threat actor to gain unauthorized access, disrupt operations, or steal data. Vulnerabilities can exist in software code (bugs), system configurations (misconfigurations), business processes (procedural gaps), or people (susceptibility to social engineering).

Vulnerabilities are identified through scanning, penetration testing, and vendor advisories. Once discovered, they're typically tracked using CVE identifiers and scored using CVSS to prioritize remediation. Managing vulnerabilities — finding them, prioritizing them, and fixing them — is a core cybersecurity activity.

Why It Matters

Vulnerability management is a fundamental CMMC requirement. Regularly scanning for and remediating vulnerabilities demonstrates that you're actively managing your security posture rather than waiting for an attacker to find your weaknesses.

Related Resources

CMMC: RA.L2-3.11.2
NIST 800-171: 3.11.2
NIST 800-53: RA-5
NIST 800-53: SA-11(2)
NIST 800-53: SA-15(4)
NIST 800-53: SA-15(7)
NIST 800-53: SA-15(8)