CMMCDocs.comVulnerability management is addressed by several NIST SP 800-171 requirements, most directly RA.L2-3.11.2 (scan for vulnerabilities periodically and when new vulnerabilities affecting the system are identified) and RA.L2-3.11.3 (remediate vulnerabilities in accordance with risk assessments). Together, these requirements mandate not just scanning but a complete vulnerability lifecycle from discovery through remediation.
Selecting a Scanner
Choose a vulnerability scanner that covers your technology stack. For most defense contractors, this means a tool capable of scanning Windows and Linux endpoints, network infrastructure, web applications, and cloud environments. Popular options include Tenable Nessus, Qualys, Rapid7 InsightVM, and Microsoft Defender Vulnerability Management. The scanner must maintain current vulnerability signatures and support credentialed scanning for deeper analysis.
Credentialed scans are important — unauthenticated scans miss many vulnerabilities because they cannot inspect installed software versions, registry settings, or configuration details. Deploy scanning credentials securely and limit their privileges to read-only access where possible.
Scanning Cadence
NIST 800-171 requires scanning "periodically" but does not prescribe a specific frequency. Industry consensus and best practice is monthly scanning at minimum for the full environment. Additionally, scan when new critical vulnerabilities are announced (zero-days, actively exploited CVEs), when significant system changes occur (new servers, software deployments), and before and after major maintenance windows.
Prioritizing Vulnerabilities
A typical scan of even a small network will produce hundreds or thousands of findings. You cannot fix everything at once, and not all vulnerabilities carry equal risk. Use a risk-based prioritization approach:
Critical/High (CVSS 9.0+): Vulnerabilities with known exploits, especially those on internet-facing systems or systems processing CUI. Remediate within 15-30 days.
High (CVSS 7.0-8.9): Significant vulnerabilities that require attention. Remediate within 30-60 days.
Medium (CVSS 4.0-6.9): Moderate risk. Remediate within 90 days or accept risk with documented justification.
Low/Informational: Address during regular maintenance cycles or accept with documentation.
The Remediation Process
Scanning without remediation is worthless. Build a process that moves from scan results to action: review scan results within 48 hours of scan completion, validate findings (eliminate false positives), create remediation tickets with assigned owners and due dates, track remediation progress against your SLA targets, and re-scan to verify that fixes are effective.
Document everything. Your assessor will want to see not just your latest scan results but your remediation history — evidence that vulnerabilities are being identified and closed systematically, not just discovered and ignored.
Metrics and Reporting
Track key metrics: mean time to remediate by severity level, vulnerability aging (how long findings remain open), scan coverage (percentage of assets scanned), and trend lines showing whether your overall vulnerability posture is improving. Report these metrics monthly to management. A vulnerability management program that runs in the background without visibility to leadership is a program that will eventually be deprioritized.