CMMC 2.0 • LEVEL 2 • RISK ASSESSMENT

RA.L2-3.11.2Vulnerability Monitoring and Scanning

Monitor and scan the system for vulnerabilities at least monthly (weekly where tooling permits)CMMC/STIG and when new vulnerabilities affecting the system are identified. Remediate system vulnerabilities within within 15 days of discovery for critical vulnerabilities (CVSS 9.0–10.0)CMMC/STIG. Update system vulnerabilities to be scanned within 30 days of discovery for high vulnerabilities (CVSS 7.0–8.9)CMMC/STIG and when new vulnerabilities are identified and reported.

NIST 800-171 Mapping

NIST 800-53 Controls

RA-5RA-5(5)

Assessment Objectives

  • the system is monitored for vulnerabilities at least monthly (weekly where tooling permits)CMMC/STIG.
  • the system is scanned for vulnerabilities within 72 hours of a new critical CVE being publicly disclosed or when directed by CISA/USCYBERCOMCMMC/STIG.
  • system vulnerabilities are remediated within within 15 days of discovery for critical vulnerabilities (CVSS 9.0–10.0)CMMC/STIG.
  • the system is monitored for vulnerabilities when new vulnerabilities that affect the system are identified.
  • the system is scanned for vulnerabilities when new vulnerabilities that affect the system are identified.
  • system vulnerabilities to be scanned are updated within 30 days of discovery for high vulnerabilities (CVSS 7.0–8.9)CMMC/STIG.
  • system vulnerabilities to be scanned are updated when new vulnerabilities are identified and reported.

Practitioner Notes

Practitioner commentary coming soon.

Related CMMC 2.0 Practices

RA.L2-3.11.1 Risk Assessment RA.L2-3.11.3 Remediate Vulnerabilities in Accordance with Risk Assessments