Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Solutions like Nessus can be used to meet this requirement. Ensure that you scan for vulnerabilities on all devices connected to the network including servers, desktops, laptops, virtual machines, containers, firewalls, switches, and printers

A vulnerability scanner is an application that identifies vulnerabilities in systems. Most vulnerability scanners can create a prioritized list of vulnerabilities ordered by their level of severity. All assets that are within the scope of the CMMC assessment must be scanned, including assets such as laptop computers that may not routinely connect to an organization’s network.

Use a vulnerability scanner to periodically (e.g. bi-weekly) scan systems on your internal and external network.