What is NIST 800-171 Control 3.11.2?
Control 3.11.2 requires organizations to perform vulnerability scanning on a scheduled basis and in response to new threats. This includes scanning:
• Operating systems
• Applications
• Network devices
• Cloud platforms
• Any system that stores or transmits Controlled Unclassified Information (CUI)
You must identify vulnerabilities that could be exploited, assess their severity, and prioritize remediation.
Why It Matters
Vulnerabilities are constantly being discovered. Without active scanning, you won’t know:
• If your systems are exposed
• Whether new software patches are needed
• How changes in the threat landscape affect your risk posture
Attackers move fast. You need to move faster.
How to Implement It
• Use vulnerability scanning tools (e.g., Nessus, Qualys, OpenVAS, Rapid7)
• Schedule scans monthly or quarterly—at minimum
• Run scans:
◦ After major configuration changes
◦ When new systems are added
◦ When new CVEs are released
• Log scan results and prioritize remediation
• Retest after applying patches or fixes
Common Mistakes
• Scanning once a year (or less)
• Ignoring or under-prioritizing high-severity findings
• Failing to rescan after remediation
How Cuick Trac Helps
Cuick Trac helps enforce this control by:
• Recommending and integrating with compliant vulnerability scanning tools
• Supporting scheduled and event-driven scan planning
• Offering advisory support for prioritizing and remediating findings
• Logging and documenting results for CMMC and NIST audit readiness
With Cuick Trac, your scanning is systematic, prioritized, and aligned with your risk management goals.
Final CTA
Hackers look for the gaps. Vulnerability scanning helps you close them—before they do.
Book a Cuick Trac demo and take control of your vulnerability management process.