3.11.2 Scan for Vulnerabilities

3.11.2 scan for vulnerabilities in organizational systems

Scan for vulnerabilities….
This the fifth-most “Other than satisfied” #CMMC requirement with an 18% fail rate.

3.11.2 ๐’๐œ๐š๐ง ๐Ÿ๐จ๐ซ ๐ฏ๐ฎ๐ฅ๐ง๐ž๐ซ๐š๐›๐ข๐ฅ๐ข๐ญ๐ข๐ž๐ฌ ๐ข๐ง ๐จ๐ซ๐ ๐š๐ง๐ข๐ณ๐š๐ญ๐ข๐จ๐ง๐š๐ฅ ๐ฌ๐ฒ๐ฌ๐ญ๐ž๐ฆ๐ฌ ๐š๐ง๐ ๐š๐ฉ๐ฉ๐ฅ๐ข๐œ๐š๐ญ๐ข๐จ๐ง๐ฌ ๐ฉ๐ž๐ซ๐ข๐จ๐๐ข๐œ๐š๐ฅ๐ฅ๐ฒ ๐š๐ง๐ ๐ฐ๐ก๐ž๐ง ๐ง๐ž๐ฐ ๐ฏ๐ฎ๐ฅ๐ง๐ž๐ซ๐š๐›๐ข๐ฅ๐ข๐ญ๐ข๐ž๐ฌ ๐š๐Ÿ๐Ÿ๐ž๐œ๐ญ๐ข๐ง๐  ๐ญ๐ก๐จ๐ฌ๐ž ๐ฌ๐ฒ๐ฌ๐ญ๐ž๐ฆ๐ฌ ๐š๐ง๐ ๐š๐ฉ๐ฉ๐ฅ๐ข๐œ๐š๐ญ๐ข๐จ๐ง๐ฌ ๐š๐ซ๐ž ๐ข๐๐ž๐ง๐ญ๐ข๐Ÿ๐ข๐ž๐.

“๐’๐’“๐’ˆ๐’‚๐’๐’Š๐’›๐’‚๐’•๐’Š๐’๐’๐’‚๐’ ๐’”๐’š๐’”๐’•๐’†๐’Ž๐’””…
This is an example of a broadly-applicable requirement – something that is expected to be applied ๐˜ฉ๐˜ฐ๐˜ญ๐˜ช๐˜ด๐˜ต๐˜ช๐˜ค๐˜ข๐˜ญ๐˜ญ๐˜บ from boundary to boundary, not just to assets that have CUI.

Many assessors will expect you to perform vulnerability scans of the entire network where you have CUI, not just the “CUI Assets”. This means that your CRMA ๐Ÿ’ป are fair game for vulnerability scans if they can affect the security of your CUI. (I’ll ask in poll)

If you only scan convenient systems, such as the ones at the office, while ignoring the laptops on the road, you will probably fail.

“๐’‚๐’‘๐’‘๐’๐’Š๐’„๐’‚๐’•๐’Š๐’๐’๐’””…
To me, the primary use case for “applications” is software that can be connected to via a listening network port. I’m thinking of web servers, database servers, file servers. These are high-risk for compromise due to vulnerabilities because they can be attacked from the network.

I’m guessing that applications are called out separately from systems because scanning network-enabled applications for vulnerabilities is a different process than enumerating software versions in a system.

For example, scanning a Linux operating system may not detect flaws in the WordPress website hosted by the server. Thus both are required separately because NIST doesn’t want anyone to forget to scan the website or database.

Most simple software like Microsoft Office, Chrome, and Adobe Acrobat would be vulnerability scanned as part of the organizational system it is installed on.

“๐’‘๐’†๐’“๐’Š๐’๐’…๐’Š๐’„๐’‚๐’๐’๐’š”…
This just means “at least once per year”.

“๐’˜๐’‰๐’†๐’ ๐’๐’†๐’˜ ๐’—๐’–๐’๐’๐’†๐’“๐’‚๐’ƒ๐’Š๐’๐’Š๐’•๐’Š๐’†๐’” ๐’‚๐’“๐’† ๐’Š๐’…๐’†๐’๐’•๐’Š๐’‡๐’Š๐’†๐’…”…
This is a pain point which probably causes the most failures. You need to be able to demonstrate running a vulnerability scan against your environment in response to a newly discovered vulnerability.

For example, anyone remember Log4Shell, affecting Apache log library Log4j, which is used by a ton of different applications?
If your network existed in 2021, an assessor might ask you for the vulnerability scan you performed in response to Log4Shell. ๐Ÿ˜ฑ
You didn’t run one? Doom!

โฐ Perform continuous vulnerability scans? If you are automatically performing vulnerability scans within a day or two of each vulnerability detection, it is my opinion that you are exceeding the expectation for this requirement.

Leave a Reply

Your email address will not be published. Required fields are marked *