Vulnerability scanning is performed regularly on all systems
You cannot remediate vulnerabilities you do not know about. Regular scanning gives you a current picture of where your systems are exposed before attackers find out. Scanning alone is not enough; the output must be tracked, prioritized, and remediated on defined timelines. Unauthenticated scans miss the majority of vulnerabilities; authenticated scans using local credentials are significantly more accurate.
Implementation steps
- 1
Deploy an authenticated vulnerability scanner across all systems
Configure your scanner with credentials so it can log into each system and enumerate installed software and configurations. Add all hosts from your asset inventory, including on-premises servers, cloud instances, and endpoints. Run internal scans at least weekly and external scans of internet-facing assets at least monthly. Scope the scanner to cover 100% of your asset inventory.
tenable qualys rapid7-nexpose openvas crowdstrike-spotlight - 2
Integrate scan results into a centralized tracking workflow
Export scan results to a vulnerability management platform or ticketing system. Every new critical or high finding should automatically create a tracked work item with an owner, due date, and SLA. Avoid letting scan results sit in a PDF that nobody acts on. Connect your scanner to your SIEM or SOAR for prioritization based on active exploitation.
tenable qualys jira servicenow drata - 3
Track scan coverage and remediation metrics over time
Measure scan coverage as a percentage of assets scanned versus assets in inventory. Track mean time to remediate by severity. Report these metrics to leadership monthly. Set targets: for example, 95% of critical findings remediated within 15 days. Trend data shows whether your program is improving or stagnating.
tenable qualys drata vanta confluence
Evidence required
Scan configuration and recent scan results
Evidence that authenticated scans are running on schedule and covering the full asset inventory.
- - Vulnerability scanner configuration showing scan schedule and credential usage
- - Recent scan report with asset coverage percentage
- - Remediation tracking dashboard or ticket backlog showing open findings by severity
Related controls
Critical and high vulnerabilities are remediated within defined SLAs
Vulnerability Management
CISA Known Exploited Vulnerabilities are remediated on priority timelines
Vulnerability Management
Internet-exposed attack surface is identified and minimized
Vulnerability Management
Penetration testing or red team exercises are conducted at least annually
Vulnerability Management