This objective ensures your organization’s vulnerability identification activities are actually happening—meaning you are actively scanning, monitoring, and reviewing your systems and applications for flaws that could compromise Controlled Unclassified Information (CUI).