Vulnerability Management Risk & Remediation // 11 MIN READ

Vulnerability Scanning for CMMC: Authenticated Scans, Exceptions, and Remediation Evidence

The Scan Is Not the Control. The Remediation Is.

CMMC Level 2 requires vulnerability scanning of in-scope systems — but the controls demand far more than running a monthly Nessus report. Authenticated scans, documented exceptions, defined patch timelines, and remediation evidence are what assessors actually evaluate. The scan is the starting point. Everything that happens after it is what gets scored.

Why Vulnerability Scanning Is Often Misunderstood

Most contractors treat vulnerability scanning as a checkbox. They run a scan once a month, export the PDF, file it in a folder, and move on. When the assessor asks about their vulnerability management program, they produce the PDF and say "we scan monthly." The assessor then asks three questions that the PDF cannot answer:

"Show me what you did with the findings. Show me which vulnerabilities are remediated, which are accepted, and why. Show me how long critical findings stayed open." If you cannot answer all three, the scan is evidence of a problem — not evidence of a control.

The confusion stems from reading the controls too narrowly. NIST SP 800-171 control RA.L2-3.11.2 requires organizations to scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems are identified. But that control does not exist in isolation. It is part of a chain:

RA.L2-3.11.2

Scan

Identify vulnerabilities in all in-scope systems periodically and when new threats emerge

RA.L2-3.11.3

Remediate

Remediate vulnerabilities in accordance with risk assessments

SI.L2-3.14.1

Flaw Remediation

Identify, report, and correct system flaws in a timely manner

Scanning without remediation satisfies nothing. The three controls form a chain: identify vulnerabilities, prioritize them by risk, remediate them within a defined timeline, and verify the fix. An assessor evaluates the entire chain — not just the first link.

Internal Versus External Scans

NIST SP 800-171 does not explicitly differentiate between internal and external vulnerability scans — the requirement is to scan organizational systems. But in practice, an assessor expects to see both perspectives covered, because the threat landscape differs depending on vantage point.

Internal Scans

From Inside the Network Boundary

The scanner sits on the same network as the target systems — behind the firewall, inside the VPN, within the enclave. It sees the same attack surface that an insider or a compromised endpoint would see. Internal scans reveal missing patches on workstations, misconfigured services, weak protocols, open management ports, and unpatched third-party software. This is the primary scan type for CMMC — because most CUI-handling systems are not directly internet-facing.

External Scans

From Outside the Network Boundary

The scanner runs from the internet against your public-facing IP addresses and services — web servers, mail servers, VPN gateways, cloud endpoints. It sees what an external attacker would see. External scans reveal exposed services, SSL/TLS misconfigurations, outdated web server versions, and open ports that should not be accessible from the internet. If you have any internet-facing services in the assessment boundary, external scans are expected.

For organizations where all CUI processing happens in a cloud environment like GCC High — with no on-premises servers and no internet-facing infrastructure they manage — external scanning of self-managed assets may not apply. But the assessor will still expect evidence that the cloud platform's vulnerabilities are tracked, typically through Microsoft Secure Score, Defender for Cloud, or equivalent tooling that monitors the cloud posture.

Authenticated Scanning and Why It Matters

This is the single most important technical distinction in CMMC vulnerability scanning — and the one most contractors get wrong.

An unauthenticated scan (also called a network scan or remote scan) probes a target system from the outside — checking open ports, banner-grabbing services, and testing for known remote vulnerabilities. It sees what an attacker would see across the network. It is useful, but incomplete. An unauthenticated scan cannot see locally installed software, missing operating system patches, weak local configurations, or application-level vulnerabilities — because it does not have credentials to log into the system.

An authenticated scan (also called a credentialed scan) logs into the target system using provided credentials — typically a local admin or domain admin account — and inspects the system from the inside. It reads the installed software inventory, checks patch levels, examines registry settings, reviews service configurations, and identifies vulnerabilities that are invisible from the network. The difference in coverage is not marginal. It is often an order of magnitude.

Scan Type What It Finds What It Misses Unauthenticated Open ports, exposed services, banner-reported versions, SSL/TLS issues, remote-exploitable CVEs Locally installed software, missing OS patches, local config weaknesses, application-level flaws, anything behind authentication Authenticated All of the above, plus: full software inventory, patch compliance, registry settings, local user accounts, service configurations, file permissions, application-level CVEs Very little — authenticated scans provide the most complete view of a system's vulnerability posture
Assessors know the difference. If you present a scan report and the assessor sees that every target returned only port-level findings with no OS patch data, they know the scan was unauthenticated. They will ask: "Are these credentialed scans?" If the answer is no, the control is likely scored Not Met — because an unauthenticated scan does not provide sufficient visibility to satisfy the intent of RA.L2-3.11.2.

Authenticated scanning requires planning. The scan credential must have local administrator access on every target. In environments using Intune-managed endpoints without a traditional domain, this means deploying a local admin account through Intune or using a service like Microsoft Defender Vulnerability Management, which uses the endpoint agent to report vulnerability data without requiring a separate scan credential. For firewalls, switches, and network appliances, SNMP or SSH credentials may be required. Each device type has its own authentication model — and each must be configured in the scanning tool.

Handling Appliances, Servers, Workstations, and Cloud Workloads

Not every in-scope asset can be scanned the same way. The scanning strategy must account for the different capabilities and limitations of each asset type in the environment.

01

Windows Servers and Workstations

The easiest to scan with credentials. Use a domain-joined service account or a local admin account. Enable WMI and remote registry access on targets. Scan tools like Tenable Nessus, Qualys, or Rapid7 InsightVM support Windows credentialed scanning natively. Alternatively, Microsoft Defender Vulnerability Management uses the installed Defender for Endpoint agent to report vulnerability data continuously — no separate scan required. Either approach satisfies the control.

02

Linux and macOS Systems

Authenticated scanning requires SSH access with a privileged account (root or sudo-capable). Ensure the SSH service is running and the scan account has the necessary permissions. For macOS endpoints managed through Intune, agent-based vulnerability reporting through Defender for Endpoint is often more practical than network-based credentialed scanning.

03

Network Appliances (Firewalls, Switches, APs)

Firewalls and managed switches often support SNMP-based scanning or SSH-based credentialed access. The scanner checks firmware version against known CVE databases. For appliances that do not support agent-based or credential-based scanning, document the limitation and use the vendor's security advisory feed to track vulnerabilities manually. The key is that the appliance appears in the scan scope — even if the scan method differs from standard hosts.

04

Cloud Workloads (Azure VMs, Containers)

For Azure Government VMs, use Microsoft Defender for Cloud to assess vulnerability posture continuously. For containers, scan images in the registry before deployment and monitor running containers with Defender for Containers. The scanning model shifts from periodic network scans to continuous agent-based assessment — but the evidence requirements are the same: identified vulnerabilities, severity ratings, remediation timelines, and closure proof.

05

SaaS and Managed Services

You cannot scan GCC High, Exchange Online, or SharePoint Online with a traditional vulnerability scanner — Microsoft manages the infrastructure. Your responsibility is to track the configuration posture using Microsoft Secure Score, Defender for Cloud Apps, and Compliance Manager. For third-party SaaS in scope, verify the vendor's vulnerability management practices through their FedRAMP authorization, SOC 2 report, or shared responsibility documentation.

Every in-scope asset must appear in scan coverage. The assessor will compare your asset inventory from the SSP to the targets in your scan reports. If a server, workstation, or appliance appears in the inventory but not in the scan results, they will ask why. "We forgot to add it" is a finding. "It cannot be scanned and here is the documented compensating control" is not.

False Positives, Risk Acceptance, and Exception Handling

No scan report is perfect. Every environment produces false positives — findings that the scanner reports as vulnerabilities but that are not actually exploitable in context, or that apply to a component that is not in the configuration the scanner assumes. The question is not whether you have false positives. The question is whether you have a documented process for handling them.

NIST SP 800-171 control RA.L2-3.11.3 requires remediating vulnerabilities "in accordance with risk assessments." That phrase is critical — it means not every finding requires an immediate patch. Some findings are false positives that should be dismissed. Some are real vulnerabilities where the risk is accepted because the compensating control makes exploitation impractical. Some are deferred because the patch requires a maintenance window. Each of these outcomes is valid — but only if it is documented.

Finding Disposition What It Requires Evidence Remediated Patch applied, configuration changed, or vulnerable component removed Rescan showing finding cleared False positive Technical analysis confirms the finding does not apply to the system's actual configuration Documented analysis with justification Risk accepted Vulnerability is real but risk is mitigated by compensating control or is below the organization's risk threshold Signed risk acceptance with compensating control Deferred Patch is planned but requires a maintenance window, testing, or vendor support — tracked in POA&M or remediation tracker POA&M entry with target date Unaddressed Finding has no disposition — it appears in the scan report with no record of analysis, remediation, or acceptance Assessment finding — control Not Met
Every finding needs a disposition. The worst outcome during an assessment is not a long list of vulnerabilities. It is a long list of vulnerabilities with no evidence that anyone looked at them. A hundred findings that are triaged, documented, and tracked — even if some are deferred or accepted — is a functional vulnerability management program. A hundred findings with no dispositions is a failure.

Patch SLAs and Remediation Proof

NIST SP 800-171 control SI.L2-3.14.1 requires identifying, reporting, and correcting system flaws in a timely manner. "Timely" is not defined by the standard — it is an organization-defined value. The contractor sets the remediation timelines in their own policy, and the assessor evaluates whether those timelines are being met.

The industry-standard approach is to define remediation SLAs by severity:

Severity CVSS Score Range Typical Remediation SLA
Critical 9.0 – 10.0 15 days or less
High 7.0 – 8.9 30 days
Medium 4.0 – 6.9 60 days
Low 0.1 – 3.9 90 days or next maintenance window

These numbers are not mandated by CMMC. They are the contractor's own policy. But once you define them, you are held to them. If your policy says critical vulnerabilities are patched within 15 days and the assessor finds a critical CVE that was open for 60 days with no documented exception, the control is Not Met — not because of the vulnerability, but because of the SLA violation.

Set SLAs you can actually meet. Contractors frequently write aggressive patch timelines into their policies to look rigorous — then fail to meet them in practice. A 30-day critical SLA that you consistently achieve is better than a 15-day SLA with chronic breaches. The assessor does not score your ambition. They score your execution.

Remediation proof is the rescan. After a vulnerability is patched, the system must be rescanned to confirm the finding is cleared. A patch ticket that says "applied KB5034441" is not remediation proof — it is remediation intent. The rescan showing the CVE no longer appears is the proof. If your scanning cadence is monthly, this means a finding remediated on day five may not be confirmed cleared until day thirty. Some organizations run targeted rescans after patch cycles specifically to close this evidence gap.

What Evidence Assessors Expect to See

The vulnerability management evidence package is one of the most heavily scrutinized artifacts in a CMMC assessment. Assessors are looking for a complete lifecycle: scan configuration, scan execution, finding triage, remediation action, and verification. Here is the full set:

Evidence 01 Scan Policy
Documented policy stating scan frequency (monthly minimum), scan type (authenticated), scope (all in-scope assets), and the tool used. Must include the remediation SLA table by severity and the exception handling process.
Evidence 02 Scan Configuration
Screenshot or export from the scanning tool showing: target list (must match SSP asset inventory), credential configuration (confirming authenticated mode), scan schedule, and plugin/signature update status.
Evidence 03 Scan Reports (3+ months)
At least three consecutive monthly scan reports showing the full results — not just executive summaries. Reports should include host-level detail, CVE identifiers, severity ratings, and whether the scan was authenticated (look for "credentialed checks: yes" or equivalent).
Evidence 04 Remediation Tracker
A tracking document, spreadsheet, or ticketing system showing every finding from recent scans with its current disposition: remediated (with date), deferred (with target date), accepted (with justification), or marked as false positive (with analysis). Must show history — not just the current state.
Evidence 05 Rescan Confirmation
For remediated findings, a subsequent scan report showing the finding is cleared — or a targeted rescan report confirming the specific CVE is no longer present on the host. This closes the remediation loop and proves the patch worked.
Evidence 06 Exception Register
For findings marked as false positive or risk-accepted: a register with the CVE, the affected host, the analysis or justification, the compensating control (if applicable), the approver, and the review date. Exceptions should be time-bounded and re-evaluated periodically.
Evidence 07 Coverage Verification
A crosswalk between the SSP asset inventory and the scan target list — confirming that every in-scope asset is included in scan coverage. If any asset is excluded, document why (e.g., unscannable appliance with manual firmware tracking) and the compensating approach.
The most common assessment failure in vulnerability management: The contractor produces scan reports but cannot show what happened with the findings. The reports sit in a folder. No remediation tracker exists. No exceptions are documented. No rescans confirm fixes. The scan ran — but the program did not. The control is Not Met.

The Bottom Line

Vulnerability scanning for CMMC is not a checkbox. It is a lifecycle: scan, triage, remediate, verify, document. The scan identifies the problem. The triage assigns a disposition. The remediation fixes or accepts it. The rescan proves it. The documentation ties it all together for the assessor.

Authenticated scans are the expectation — unauthenticated scans miss too much to satisfy the intent of the control. Every in-scope asset must appear in scan coverage. Every finding must have a disposition. Every remediation must be verified. And every exception must be justified, approved, and time-bounded.

The assessor does not care how many vulnerabilities your scan finds. They care that you know about them, that you have a process for dealing with them, and that you can prove the process works. A clean scan report with zero findings is not more impressive than a report with findings — if every finding is triaged, tracked, and resolved within your stated SLAs. The program is the control. The scan is just the input.

Related Articles

Patch Management for CMMC: What "Timely" Means in PracticeAudit Logging for CMMC: What to Collect and How Long to Keep ItCMMC POA&Ms: The 180-Day Closeout RuleAdequate vs Sufficient Evidence in CMMCCMMC Level 2 Assessment Scope Explained