GRCWatch
Sign inStart free trial

NIST 800-171 3.11.2: Vulnerability Scanning Requirements

Vulnerability scanning is a foundational control that identifies security weaknesses in your systems and applications before attackers exploit them. NIST SP 800-171 requires organizations to scan periodically and respond when new vulnerabilities emerge. Without a systematic approach, you'll miss critical exposures that put controlled unclassified information at risk.

What this means

Control 3.11.2 mandates that your organization conduct recurring vulnerability scans across all systems and applications in your environment. You must also initiate scans immediately when new vulnerabilities are discovered that could affect your infrastructure. The goal is continuous visibility into your security posture and rapid remediation of identified weaknesses before they become exploitable.

How to comply

  1. 1.Establish a vulnerability scanning schedule (monthly, quarterly, or risk-based frequency) and document it in your security policy
  2. 2.Deploy automated vulnerability scanning tools across all systems, applications, and network segments
  3. 3.Configure scanners to cover internal networks, web applications, databases, and cloud infrastructure
  4. 4.Monitor vulnerability disclosure databases and threat feeds to identify newly released CVEs affecting your environment
  5. 5.Trigger ad-hoc scans when critical vulnerabilities are announced or after significant system changes
  6. 6.Document all scan results, including findings, severity ratings, and remediation timelines
  7. 7.Establish a process to prioritize and remediate vulnerabilities based on severity and exploitability
  8. 8.Maintain scan reports and remediation evidence for audit and compliance verification

Evidence auditors look for

  • Vulnerability scanning tool configuration and scheduling documentation
  • Scan schedules showing monthly, quarterly, or continuous scanning frequency
  • Historical scan reports with dates, systems scanned, and vulnerabilities identified
  • Vulnerability remediation logs with timelines and completion evidence
  • Threat monitoring procedures showing how new CVEs trigger emergency scans
  • Network architecture diagrams showing all systems included in scanning scope
  • Tool licensing and deployment records confirming scanner coverage
  • Audit logs from scanning tools showing when scans executed and results generated

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically schedules and executes vulnerability scans across your infrastructure, consolidates results from multiple tools, and tracks remediation progress—eliminating manual scanning coordination and providing audit-ready evidence of continuous compliance.

See how GRCWatch handles this control automatically

Start free trial

Related controls

NIST 800-171 3.11.1 (Flaw Identification and Reporting)NIST 800-171 3.12.1 (Security Impact Analysis)NIST 800-171 3.4.7 (Information System Monitoring)NIST 800-171 3.10.1 (Information Integrity)