03.11.02 — (a) Monitor and scan the system for vulnerabilities {{ insert: param, A.03.11.02.ODP.01 }} and when new vulnerabilities affecting the system are identified. (b) Remediate system vulnerabilities within {{ insert: param, A.03.11.02.ODP.03 }}. (c) Update system vulnerabilities to be scanned {{ insert: param, A.03.11.02.ODP.04 }} and when new vulnerabilities are identified and reported.

What this control requires

(a) Monitor and scan the system for vulnerabilities {{ insert: param, A.03.11.02.ODP.01 }} and when new vulnerabilities affecting the system are identified. (b) Remediate system vulnerabilities within {{ insert: param, A.03.11.02.ODP.03 }}. (c) Update system vulnerabilities to be scanned {{ insert: param, A.03.11.02.ODP.04 }} and when new vulnerabilities are identified and reported.

Source: NIST SP 800-171 R3 §03.11.02 (official control text).

Why this matters

Vulnerabilities are discovered constantly in operating systems, applications, firmware, and network devices. Attackers actively exploit known weaknesses—sometimes within hours of public disclosure. This control requires the organization to systematically discover vulnerabilities before adversaries do, prioritize remediation based on risk, and maintain current threat intelligence so scanning tools recognize newly disclosed flaws. Without continuous monitoring and patching discipline, even well-configured systems become compromised entry points for ransomware, data exfiltration, and lateral movement across the network.

What evidence assessors expect

Assessors typically look for: PDF, screenshot, CSV export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls