NIST SP 800-171 Rev 2 §3.11.2 requires organizations to scan for vulnerabilities in their systems and applications periodically and whenever new vulnerabilities are identified. The practice applies specifically to systems and applications that process, store, or transmit CUI. Organizations must first define the scanning frequency in a documented policy or plan, then execute scans against that schedule consistently. In addition to scheduled scans, the practice mandates event-driven scans triggered by new vulnerability disclosures—such as NVD/CVE publications or vendor security advisories—that may affect in-scope assets. Both the periodic and event-driven dimensions must be satisfied for all five assessment objectives to be met.
Where it stops · what it isn't
- —This practice does not require remediation or patching of discovered vulnerabilities—that is addressed by RA-L2-3.11.3
- —This practice does not cover penetration testing, red team exercises, or active exploitation attempts
- —This practice does not address vulnerability scanning of systems outside the CUI boundary or unrelated corporate IT infrastructure unless they connect to CUI systems
- —This practice does not specify a mandatory scanning frequency—the organization defines the frequency, but it must be documented and adhered to
- —This practice does not cover physical vulnerability assessments or social engineering evaluations
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.