NIST 800-171 • LEVEL 2 • RISK ASSESSMENT
3.11.2 — Vulnerability Monitoring and Scanning
Monitor and scan the system for vulnerabilities {{ insert: param, A.03.11.02.ODP.01 }} and when new vulnerabilities affecting the system are identified. Remediate system vulnerabilities within {{ insert: param, A.03.11.02.ODP.03 }}. Update system vulnerabilities to be scanned {{ insert: param, A.03.11.02.ODP.04 }} and when new vulnerabilities are identified and reported.
CMMC Practice Mapping
Assessment Objectives
- the system is monitored for vulnerabilities {{ insert: param, A.03.11.02.ODP.01 }}.
- the system is scanned for vulnerabilities {{ insert: param, A.03.11.02.ODP.02 }}.
- system vulnerabilities are remediated within {{ insert: param, A.03.11.02.ODP.03 }}.
- the system is monitored for vulnerabilities when new vulnerabilities that affect the system are identified.
- the system is scanned for vulnerabilities when new vulnerabilities that affect the system are identified.
- system vulnerabilities to be scanned are updated {{ insert: param, A.03.11.02.ODP.04 }}.
- system vulnerabilities to be scanned are updated when new vulnerabilities are identified and reported.
Practitioner Notes
Vulnerability scanning means regularly checking your systems for known weaknesses -- missing patches, misconfigurations, outdated software -- before an attacker finds them first.
Example 1: Run authenticated Nessus (or ACAS if you are in a DoD environment) scans against all your endpoints and servers at least monthly. Use credentialed scans so the scanner can log into each machine and check installed software versions, not just probe from the outside. Review the results filtered by CVSS score 7.0 and above for priority remediation.
Example 2: Enable Microsoft Defender Vulnerability Management in the Microsoft 365 Defender portal. It continuously monitors your enrolled devices for vulnerabilities and misconfigurations, assigns severity scores, and even recommends specific remediation steps -- all without running a separate scan tool.
The key here is consistency. Scanning once a year will not cut it. Set up recurring scans and make sure someone is actually reviewing the results and tracking remediation.