GRCWatch
Sign inStart free trial

CMMC RA.L2-3.11.2 Vulnerability Scan Control

Vulnerability scanning is a foundational security control that identifies weaknesses in your systems before attackers do. CMMC Level 2 requires periodic scans plus prompt rescans when new vulnerabilities emerge—making continuous discovery essential for defense contractors.

What this means

This control mandates that your organization regularly scan all information systems and applications for known vulnerabilities. You must also perform targeted scans whenever security researchers or vendors announce new vulnerabilities that could affect your environment. The goal is continuous visibility into exploitable weaknesses so you can remediate before they become breach vectors.

How to comply

  1. 1.Select and deploy vulnerability scanning tools (both network and application scanners) across your IT environment
  2. 2.Establish a baseline scanning schedule—at minimum quarterly, though monthly or continuous scanning is recommended for CMMC readiness
  3. 3.Create a process to monitor vulnerability disclosures (CVE feeds, vendor advisories, CISA alerts) that apply to your systems
  4. 4.Trigger emergency rescans within 48-72 hours of critical vulnerability announcements affecting your tech stack
  5. 5.Document all scans including dates, systems scanned, tools used, vulnerabilities found, and remediation actions
  6. 6.Review scan results promptly and prioritize remediation based on severity and exploitability
  7. 7.Maintain scan logs and evidence for auditors covering at least the last 12 months

Evidence auditors look for

  • Vulnerability scan reports with timestamps and scope (network ranges, hostnames, applications scanned)
  • Scanning tool configuration and baseline settings showing recurring scan schedules
  • CVE tracking log showing vulnerability disclosures monitored and corresponding rescan dates
  • Emergency scan reports triggered by zero-day or critical vulnerability announcements
  • Remediation tracking spreadsheet linking vulnerabilities to patches, workarounds, or risk acceptance decisions
  • Scan tool access logs showing regular authentication and tool operation by authorized personnel
  • Risk assessment documentation for vulnerabilities deemed acceptable to retain unpatched

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates vulnerability scan scheduling, aggregates results from your existing scanners, flags new CVEs that affect your inventory, and generates audit-ready evidence reports—eliminating manual scan tracking and ensuring you never miss a critical rescan deadline.

See how GRCWatch handles this control automatically

Start free trial

Related controls

RA.L2-3.11.1 — Flaw RemediationRA.L2-3.11.3 — Security Testing and EvaluationSA.L2-3.12.1 — System Development Life Cycle