de-cm-8 critical Detect / Continuous Monitoring

Vulnerability scans are performed

Unpatched and misconfigured systems are the most common entry points attackers exploit. Vulnerability scanning is the discipline of regularly probing your own systems the way an attacker would: enumerating software versions, checking for known CVEs, and identifying misconfigurations before they are exploited. Without a regular scan cadence, organizations accumulate risk invisibly until a breach makes the gap visible.

Estimated effort: 6h

vulnerability-managementscanningpatchingcveremediation

Implementation steps

1

Deploy an authenticated vulnerability scanner for internal assets

Configure a vulnerability scanner with credentials to scan internal systems in an authenticated mode: this discovers far more vulnerabilities than unauthenticated scans because the scanner can enumerate installed software versions and check configurations directly. Schedule scans to run at least weekly for internet-facing systems and monthly for internal systems. Assign ownership so that scan results reach the teams responsible for remediation.

tenablequalysrapid7openvas
2

Integrate container and cloud infrastructure scanning

Vulnerability scanners designed for VMs often miss cloud-native infrastructure. Add scanning for container images (scan every image before it is deployed and rescan the image registry periodically), cloud infrastructure configuration (checking for public S3 buckets, open security groups, unencrypted snapshots), and serverless functions. Integrate these scans into CI/CD so that new deployments are blocked when they introduce high or critical vulnerabilities.

snyktrivyaquasecprisma-cloudaws-inspectorwiz
3

Establish SLAs for vulnerability remediation and track compliance

Define remediation SLAs based on severity: critical vulnerabilities remediated within 24-72 hours, high within 7-14 days, medium within 30 days. Track open vulnerabilities against these SLAs and report exceptions with an accepted risk or compensating control rationale. Review the vulnerability backlog monthly with engineering leads to prevent accumulation.

jiralineartenablequalys

Evidence required

Vulnerability scan reports

Recent scan results showing scope, findings, and severity distribution for critical systems.

· Tenable or Qualys scan report from the last 30 days covering internet-facing assets
· Container image scan results from CI/CD pipeline showing vulnerability counts
· AWS Inspector findings report for EC2 instances and Lambda functions

Remediation tracking and SLA documentation

Evidence that vulnerabilities are tracked and remediated within defined time frames.

· Vulnerability management policy defining severity-based remediation SLAs
· Jira or Linear board showing open vulnerabilities with due dates and owners
· Monthly vulnerability metrics report showing closure rate by severity

Related controls

id-ra-1 critical

Vulnerabilities in assets are identified, validated, and recorded

Risk Assessment

de-cm-1 high

Networks and network services are monitored to detect adverse events

Continuous Monitoring

de-cm-2 medium

The physical environment is monitored to detect potential cybersecurity events

Continuous Monitoring

de-cm-3 high

Personnel activity and technology usage are monitored to detect potentially adverse events

Continuous Monitoring