GRCWatch
Sign inStart free trial

NIST CSF DE.CM-8: Vulnerability Scanning Controls

Vulnerability scanning is a foundational detection mechanism that identifies weaknesses before attackers exploit them. Under NIST Cybersecurity Framework's Detect function, DE.CM-8 requires organizations to systematically scan for and document vulnerabilities across systems and applications. For SMBs with limited security staff, automating this control reduces manual effort while maintaining continuous visibility.

What this means

DE.CM-8 mandates that your organization perform regular vulnerability scans to identify potential security weaknesses in systems, networks, and applications. Unlike one-time assessments, vulnerability scanning must be an ongoing process that detects misconfigurations, unpatched software, weak credentials, and other exploitable flaws. The control emphasizes both the execution of scans and the documentation of results for remediation tracking.

How to comply

  1. 1.Establish a vulnerability scanning schedule (daily, weekly, or monthly depending on asset criticality) using automated tools
  2. 2.Define scope: identify all systems, applications, and network segments to be scanned
  3. 3.Configure scanners to test for industry-standard vulnerability databases (CVE, NVD)
  4. 4.Implement authenticated scans where possible to identify internal weaknesses
  5. 5.Document all scan results with severity ratings, affected assets, and remediation owners
  6. 6.Establish a remediation SLA process tied to vulnerability severity levels
  7. 7.Conduct periodic scans after system changes, patches, or deployments
  8. 8.Maintain audit logs of all scanning activities and results for compliance evidence

Evidence auditors look for

  • Vulnerability scan reports with timestamps, tools used, and discovered findings
  • Scanning schedule and scope documentation showing what assets are covered
  • Remediation tracking tickets linking scan findings to resolution and closure
  • Tool configuration settings demonstrating authenticated vs. unauthenticated scan methods
  • Quarterly or annual vulnerability management metrics and trend analysis
  • System change logs correlating scans performed after updates or deployments
  • Scan exception or waiver approvals for findings that cannot be immediately remediated

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically aggregates vulnerability scan results from your existing tools, maintains audit-ready evidence records, and tracks remediation workflows—eliminating spreadsheet chaos and proving continuous compliance to auditors in minutes.

See how GRCWatch handles this control automatically

Start free trial

Related controls

DE.CM-1 Network monitoringDE.CM-3 Personnel activity monitoringDE.CM-7 Monitoring for unauthorized personnel, connections, devices, and softwareID.RA-1 Asset inventory and device discoveryRC.RP-1 Response and recovery planning