Understanding RA.L2-3.11.2: Vulnerability ScanningTheRA.L2-3.11.2practice requires organizations to:
✔Regularly scan for vulnerabilitiesin systems and applications.
✔Perform scans when new vulnerabilities are identified.
✔Use vulnerability scanning tools or servicesto proactively detect security weaknesses.
Anincident monitoring reporttrackssecurity incidents, notvulnerability scanning activities.
Vulnerability scanning reportsshould include:✔A list of vulnerabilities detected.✔Remediation actions taken.✔Scan frequency and schedule.
Theabsence of reported security incidentsdoesnotconfirm that vulnerability scans were performed.
Why Is an Incident Monitoring Report Irrelevant?
A. Inadequate because it is irrelevant to the practice → Correct
B. Adequate because it fits well for expected artifacts → Incorrect
Incident monitoring reportsare not expected artifactsfor this control.Vulnerability scan reportsare required instead.
C. Adequate because no security incidents were reported → Incorrect
The absence of incidents does not mean the OSC is performing vulnerability scanning. This isnot valid evidence.
D. Inadequate because the OSC's service provider should be interviewed → Incorrect
While interviewing the provider may be useful, themain issue is that the provided evidence is irrelevant. Thecorrect evidence (vulnerability scan reports) is missing.
Why is the Correct Answer "A. Inadequate because it is irrelevant to the practice"?
NIST SP 800-171 (Requirement 3.11.2 – Vulnerability Scanning)
CMMC Assessment Guide for Level 2
Specifies that evidence for RA.L2-3.11.2 should includevulnerability scan reports, not incident monitoring reports.
CMMC 2.0 Model Overview
Confirms that organizationsmust proactively identify vulnerabilities through scanning, not just rely on incident detection.
CMMC 2.0 References Supporting This Answer:
