3.11.2 — Scan for vulnerabilities | NIST 800-171 Control

You scan systems and apps for vulnerabilities — regularly and on new threats.

What it actually means

Run vulnerability scans on a schedule and when new vulnerabilities are announced. Scanning is how you find what to patch (3.14.1) and feeds your risk picture. A 5-pointer because you can't fix what you don't find.

Pass or fail — an assessor needs a "yes" to each

Vulnerability scanning runs on a defined schedule.
Scans cover in-scope systems and applications.
New significant vulnerabilities trigger scans/checks.

What to have ready

Vulnerability scanner configuration + schedule
Scan reports
Process linking scans to remediation

Where teams trip up

No vulnerability scanning at all
Scanning a subset of systems
Scans run but findings never actioned

See where this control puts your score

Run all 110 requirements free in about 10 minutes.

Calculate your SPRS score →

Connected requirements

3.11.3 — Remediate the findings 3.14.1 — Patch the flaws 3.11.1 — Risk assessment

← Back to the Control Library