>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

RA.L2-3.11.2Vulnerability Scan

Level 2
800-171: 3.11.2

>Control Description

Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.

>Cross-Framework Mappings

NIST SP 800-171

3.11.2
Compare

SCF

VPM-06
Compare
VPM-06.3
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What is your vulnerability scanning policy?
  • How frequently do you perform vulnerability scans?
  • Who is responsible for conducting vulnerability scans?
  • How do you determine which systems require scanning and how often?
  • What is your process for handling newly identified vulnerabilities?
  • Who receives and reviews vulnerability scan results?

Technical Implementation:

  • What vulnerability scanning tools are deployed (Nessus, Qualys, Rapid7)?
  • What authenticated scanning credentials are used?
  • What coverage do vulnerability scans provide?
  • What web application scanners are used?
  • What tools scan containers and cloud infrastructure?
  • How are scan results aggregated and prioritized?

Evidence & Documentation:

  • What risk assessment reports and documentation can you provide?
  • What risk assessment methodology documentation shows your approach?
  • What vulnerability scan reports demonstrate regular scanning?
  • What vulnerability remediation tracking shows timely remediation?
  • What risk register or risk tracking documentation can you show?
  • What evidence demonstrates risk assessments are conducted periodically?

Ask AI

Configure your API key to use AI features.