If you’re a small DoD contractor, you already know the pressure: protect CUI, keep projects moving, and do it with a lean team. That’s why I treat CMMC vulnerability scanning like a smoke alarm, it’s not the whole fire plan, but it’s how you find trouble early.
In this post, I’m laying out a practical vulnerability scanning plan you can copy, plus a simple operating procedure you can run with limited staff. I’ll keep it tool-agnostic, because what matters in a CMMC Level 2 assessment is consistency, scope, and evidence.
Along the way, I’ll tie the plan back to NIST SP 800-171 (RA-5 and friends), and I’ll show scan frequencies, safe scanning rules, and how I handle endpoints, servers, network gear, and cloud workloads.
What CMMC Level 2 expects from vulnerability scanning (RA-5)
Level 2 aligns to the 110 controls in NIST SP 800-171, and vulnerability scanning sits in the Risk Assessment family. The CMMC practice is commonly referenced as RA.L2-3.11.2, which requires you to scan periodically and when new vulnerabilities affect your environment. A clear plain-English breakdown is available on DIB SCC CyberAssist’s RA.L2-3.11.2 guidance.
I also keep the official assessment language handy, because it helps me write evidence the way an assessor expects to see it. The CMMC Level 2 Assessment Guide (PDF) is my go-to reference when I’m validating wording in an SSP or building a POA&M workflow.
One more reality check: attestation and assessment expectations are now anchored in regulation. If you’re doing a self-assessment and annual affirmation for some contracts, I point leadership to 32 CFR 170.16 so nobody treats scanning like “optional paperwork.”
Here’s the trap I see most often: a contractor runs a scan, fixes a few items, then can’t prove cadence, scope, approvals, or re-scan validation. CMMC Level 2 is as much about repeatable process as it is about security outcomes.
If you can’t show scan scope, dates, findings, tickets, and re-scan results, the scan didn’t “count” for assessment purposes.
Vulnerability Scanning Plan template (copy, adapt, and put in your SSP)
I write this plan so it works for Small Business IT teams, and it also scales when you add Cloud Infrastructure, remote users, and multiple sites.
1) Purpose and scope (example language)
Purpose: “I scan in-scope systems and applications to identify known weaknesses, prioritize risk to CUI, remediate within defined timelines, and verify fixes through re-scanning.”
Scope: “This plan covers all assets that store, process, or transmit CUI, plus supporting systems that could impact CUI (identity, email security, logging, and network boundary devices). Out-of-scope systems (for example, guest Wi-Fi or a segmented lab) follow a separate schedule.”
If your company also runs mixed environments like Restaurant POS Support or Kitchen Technology Solutions, I keep them segmented and clearly marked out of CUI scope, unless they truly touch CUI.
2) Roles and ownership (example language)
- System Owner: approves scope and remediation windows.
- Scanner Operator: runs scans, validates credentials, maintains schedules.
- Remediation Owner: patches, config-fixes, or compensates with Device Hardening.
- Reviewer: confirms evidence completeness before assessment.
This can be one person wearing three hats, as long as approvals are documented.
3) Tooling criteria (tool-agnostic)
I select tools that support authenticated (credentialed) scans, exportable reports, asset tagging, and safe rate controls. Optional examples include common enterprise scanners and cloud posture tools, but I never write a plan that depends on one vendor.
For teams new to the concept, this vulnerability scanning explainer helps set expectations without drowning you in jargon.
4) Scan cadence and triggers (recommended baseline)
Use this table as a starting point, then adjust for uptime needs and change volume.
| Asset type | Minimum frequency | Triggered scans | Notes |
|---|---|---|---|
| External attack surface (public IPs, portals, VPN) | Weekly | After firewall/VPN changes | Tight rate limits, off-hours runs |
| Internal network segments (CUI enclave) | Monthly | After major network changes | Credentialed scans preferred |
| Endpoints (laptops, desktops) | Weekly posture checks | After new baseline | Pair with Endpoint Security telemetry |
| Servers (on-prem and IaaS) | Monthly | After patch cycles | Coordinate with maintenance windows |
| Network devices (firewalls, switches) | Monthly | After firmware/config changes | Include config review evidence |
| Cloud workloads and configs | Weekly | After IaC changes | Part of Secure Cloud Architecture and Cloud Management |
5) Credentialed scanning rules (example language)
“I use dedicated read-only accounts for scanning. Credentials are stored in an access-controlled vault. I rotate passwords on a defined schedule and after staff changes. I restrict scanner access to approved IPs and segments.”
6) Safe scanning rules (example language)
“I scan during approved change windows when feasible, rate-limit to avoid service impact, and exclude fragile systems only with documented approval and compensating controls.”
7) Prioritization and remediation SLAs (example language)
“I prioritize by severity, exploitability, and CUI impact. Default SLAs: Critical 15 days, High 30, Medium 60, Low 90 (unless system constraints require an approved exception).”
8) NIST SP 800-171 mapping (quick reference)
This mapping helps me justify why the plan is written the way it is:
| Plan element | NIST SP 800-171 control(s) it supports |
|---|---|
| Scheduled and triggered scanning | RA-5 |
| Remediation timelines and patch workflow | SI-2 |
| Change windows and approvals | CM-3 |
| Baselines and hardening standards | CM-2 |
| Proof of review and accountability | AU-6, CA-2 |
| Boundary coverage (external, internal segments) | SC-7 |
| Incident tie-in when exploit activity appears | IR-4 |
Run the procedure, report it, and keep evidence (without adding headcount)
A plan on paper won’t save you during a C3PAO interview. I like a simple procedure that matches how small teams actually work, especially when they’re also juggling Office 365 Migration projects, Data Center Technology refreshes, and Infrastructure Optimization.
Monthly operating procedure (with a mini-checklist)
- Confirm scope: pull the current asset list for the CUI enclave, including cloud instances and remote endpoints.
- Validate scanner access: confirm credentialed accounts still work, then test on one known host.
- Schedule the change window: get written approval (ticket or email) for time, targets, and rate limits.
- Run external scans: focus on public-facing services first, because they’re easiest to attack.
- Run internal credentialed scans: scan servers and workstations by segment, not “entire network at once.”
- Cover endpoints: use your Endpoint Security and device posture data to catch missing patches and weak configs.
- Scan network devices: include firmware checks, exposed management interfaces, and weak SNMP or admin settings.
- Check cloud workloads: scan images and hosts, and also review cloud misconfigurations that expose storage or management ports.
- Triage and ticket: create one ticket per fix owner, include severity, affected asset, and due date.
- Re-scan to verify: attach proof to the ticket, then close with a short remediation note.
Don’t “fix by exception.” If you can’t patch, document the exception, the compensating control, and the review date.
Metrics and evidence for CMMC Level 2 assessments
I keep reporting simple, because busy teams won’t maintain a complicated dashboard. These are the three metrics I can defend in an assessment:
- MTTR (mean time to remediate) by severity (Critical, High, Medium, Low)
- SLA compliance rate (percent closed within your stated timelines)
- Overdue vulnerabilities (count, aging, and systems impacted)
For evidence, I build a folder that matches the scan cycle. I include:
- Approved scan schedule and change approvals
- Scan configurations (targets, rate limits, credentialed vs non-credentialed)
- Raw scan reports and exported summaries
- Tickets showing assignment, due dates, and closure notes
- Re-scan proof (before/after or closed finding reports)
- Exception records with compensating controls and expiration dates
- POA&M entries when fixes won’t land inside SLA
- Management review notes (monthly is enough for small shops)
This is where a Business Technology Partner earns trust. When I provide Technology Consulting and Tailored Technology Services, I’m not just running tools. I’m building a repeatable habit that supports Digital Transformation, keeps CUI protected, and strengthens Business Continuity & Security.
Conclusion
A strong CMMC vulnerability scanning program isn’t about buying a fancy scanner. It’s about a written plan, a steady cadence, safe execution, and clean evidence. If you run Managed IT for Small Business clients, treat scanning like a monthly close, it happens on schedule, and it produces records. When you want help building a scan scope around your IT Strategy for SMBs, or aligning cloud and on-prem into one Secure Cloud Architecture, I’m ready to step in and make it assessment-ready.
Discover more from Guide to Technology
Subscribe to get the latest posts sent to your email.