CMMC Practice Requirement:

Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.

CMMC Requirement Explanation:

By using a vulnerability scanner like Nessus you can quicklu identify vulnerabilities on your systems. Vulnerabilities often include outdated software and vulnerable default settings.

Example CMMC Implementation:

Use a vulnerability scanner to periodically (e.g. bi-weekly) scan systems on your internal and external network.


- Scenario 1:

You have purchased a vulnerability scanner to identify vulnerabilities in your systems. You configure it to scan everything on your network once a month. You also configure your scanner to updates its signature database before each scan. You document the results of your scans so that you can plan on mitigating the findings.

Discover Our NIST SP 800-171 Solutions:


Compliance Accelerator

For contractors seeking compliance

Quantum Assessor

For IT service providers

Supply Chain Verifier

For contractors seeking to verify partner compliance