RA.L2-3.11.2 — Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.

What this control requires

Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.

Source: CMMC L2 v2.13 RA.L2-3.11.2 / NIST SP 800-171 R2 3.11.2 (official control text).

Why this matters

Vulnerabilities are weaknesses attackers exploit to breach systems, steal data, or deploy ransomware. New vulnerabilities emerge constantly — zero-days, unpatched software, misconfigurations — creating windows of opportunity for adversaries. This control mandates routine automated scanning and rapid response to newly disclosed threats, ensuring the organization identifies exposures before attackers do. Without continuous vulnerability discovery, systems become sitting targets. Regular scanning compresses the window between vulnerability disclosure and remediation, directly reducing breach probability and demonstrating proactive security management to auditors and customers.

What evidence assessors expect

Assessors typically look for: screenshot, CSV export, PDF. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls