CMMCDocs.comHome / Glossary / RA.L2-3.11.2
RA.L2-3.11.2
Also known as: Vulnerability scan requirement
The NIST SP 800-171 requirement that mandates the contractor scan for vulnerabilities in in-scope systems and applications periodically.
RA.L2-3.11.2 requires the contractor to 'scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.'
In practice, contractors implement this with a vulnerability scanner (Nessus, Qualys, Rapid7 InsightVM, Tenable.io) scanning in-scope systems on a defined cadence — typically monthly for full scans, weekly or daily for changed systems, plus ad-hoc scans when major CVEs drop.
A C3PAO will ask for recent scan reports (preferably the last 6-12 months), the documented scan cadence, and evidence that findings flow into a remediation tracker.
Stop Googling. Start working.
CMMCDocs has all 110 NIST SP 800-171 Rev 2 requirements built in — with the language, the templates, and the evidence vault you need. Spin up a free demo workspace and click around the way an assessor would.
Get my demo account