Understanding RA.L2-3.11.2: Vulnerability Scanning
TheRA.L2-3.11.2practice requires organizations to:
✔Regularly scan for vulnerabilitiesin systems and applications.
✔Perform scans when new vulnerabilities are identified.
✔Use vulnerability scanning tools or servicesto proactively detect security weaknesses.
Why Is an Incident Monitoring Report Irrelevant?
Anincident monitoring reporttrackssecurity incidents, notvulnerability scanning activities.
Vulnerability scanning reportsshould include:
✔A list of vulnerabilities detected.
✔Remediation actions taken.
✔Scan frequency and schedule.
Theabsence of reported security incidentsdoesnotconfirm that vulnerability scans were performed.
Why is the Correct Answer "A. Inadequate because it is irrelevant to the practice"?
A. Inadequate because it is irrelevant to the practice → Correct
Alack of reported security incidents does not confirm that vulnerability scanning was performed.
B. Adequate because it fits well for expected artifacts → Incorrect
Incident monitoring reportsare not expected artifactsfor this control.Vulnerability scan reportsare required instead.
C. Adequate because no security incidents were reported → Incorrect
The absence of incidents does not mean the OSC is performing vulnerability scanning. This isnot valid evidence.
D. Inadequate because the OSC's service provider should be interviewed → Incorrect
While interviewing the provider may be useful, themain issue is that the provided evidence is irrelevant. Thecorrect evidence (vulnerability scan reports) is missing.
CMMC 2.0 References Supporting This Answer:
NIST SP 800-171 (Requirement 3.11.2 – Vulnerability Scanning)
Defines the requirement toscan for vulnerabilities periodically and when new threats emerge.
CMMC Assessment Guide for Level 2
Specifies that evidence for RA.L2-3.11.2 should includevulnerability scan reports, not incident monitoring reports.
CMMC 2.0 Model Overview
Confirms that organizationsmust proactively identify vulnerabilities through scanning, not just rely on incident detection.
