NIST SP 800-171
Control 3.11.2
Scan for Vulnerabilities
CMMC-RP Certified Team
24+ Years Experience
2,500+ Clients Served
Official Requirement
Scan for vulnerabilities in organizational information systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
What This Means in Plain English
Regularly scan your systems for known security vulnerabilities and also scan whenever new critical vulnerabilities are announced. Discovered vulnerabilities must be tracked and remediated in a timely manner.
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- Weekly automated vulnerability scans using Sophos XDR across all endpoints
- Monthly network vulnerability scans using FortiGate vulnerability scanning
- CrowdStrike Falcon Spotlight providing real-time vulnerability assessment
- Emergency scans triggered within 24 hours of critical CVE announcements
- Vulnerability tracking and remediation timeline management in ComplianceArmor
Assessment Guidance
Assessors will review vulnerability scan schedules and recent results, verify that scan coverage includes all CUI systems, check vulnerability remediation timelines, and confirm that ad-hoc scans occur when new critical vulnerabilities are announced.
Common Implementation Gaps
- No regular vulnerability scanning
- Scans performed but results not reviewed or acted upon
- Not all systems included in scan scope
- No process for emergency scans on critical CVEs
- Vulnerability remediation not tracked or timelines not met
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | RA-5, RA-5(5) |
| HIPAA | 164.308(a)(1)(ii)(A) - Risk Analysis |
| PCI DSS | Req 11.2 - Run internal and external network vulnerability scans |
Need Help Implementing 3.11.2?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment