Perform Automated Vulnerability Scans of Internal Enterprise Assets
Description
Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
Implementation Checklist
Tool Recommendations
Continuous vulnerability assessment and exposure management across IT assets, cloud, containers, and OT
Tenable · Per-asset subscription
Cloud-based vulnerability management, detection, and response with integrated patch management and asset inventory
Qualys · Per-asset subscription
Vulnerability management platform with live dashboards, risk prioritization, and remediation workflows
Rapid7 · Per-asset subscription
Threats & Vulnerabilities (CIS RAM)
Threat Scenarios
Persistent Internal Vulnerabilities Exploited by Lateral Movement
ConfidentialityWithout automated internal vulnerability scanning, attackers who gain initial access discover and exploit unpatched internal systems, databases, and applications that were never assessed, enabling rapid lateral movement through the environment.
Insider Exploitation of Undiscovered Internal Weaknesses
IntegrityMalicious insiders or compromised accounts exploit internal vulnerabilities that would have been detected by authenticated scanning, such as misconfigured services, default credentials, or missing patches on internal-only servers.
Compliance Gaps from Infrequent or Missing Internal Scans
AvailabilityWithout quarterly automated internal scanning using SCAP-compliant tools, the organization cannot demonstrate continuous vulnerability assessment to auditors, resulting in findings under PCI DSS Requirement 11 or similar frameworks.
Vulnerabilities (When Safeguard Absent)
No Authenticated Internal Vulnerability Scanning
The organization does not perform credentialed internal vulnerability scans, meaning scanners cannot assess installed software versions, missing patches, or configuration weaknesses behind authentication barriers, missing up to 60% of actual vulnerabilities.
Infrequent or Manual Internal Scanning Cadence
Internal vulnerability scans are performed sporadically or only before audits rather than on an automated quarterly schedule, allowing new vulnerabilities to persist undetected for extended periods between scan windows.
Evidence Requirements
| Type | Evidence Item | Collection Frequency |
|---|---|---|
| Document | Current inventory or catalog documentation | Maintained continuously, reviewed quarterly |
| Document | Process/procedure documentation for identification activities | Reviewed annually |
| Technical | Vulnerability scan reports showing scope and findings | Per scan cycle |
| Record | Vulnerability remediation tracking with SLA compliance metrics | Monthly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |