Skip to main content
← All controls
RA-5 / A.12.6.1 / CIS-7.3 NIST SP 800-53 Rev 5

How often do you scan internal systems for vulnerabilities (authenticated where possible)?

Demonstrate that the organization performs vulnerability scans of internal systems at defined, appropriate intervals using authenticated methods where technically feasible, and that scan coverage encompasses all critical and in-scope assets.

Description

What this control does

This control establishes the cadence and methodology for conducting vulnerability scans against internal infrastructure, endpoints, databases, and applications. Authenticated scanning uses credentials to probe deeper into system configurations, installed software, and patch levels—providing more accurate identification of exploitable weaknesses than unauthenticated scans. Regular scanning frequency (e.g., weekly, monthly) ensures newly disclosed vulnerabilities are detected before adversaries exploit them, and scanning scope must cover all on-premises and cloud-hosted assets.

Control objective

What auditing this proves

Demonstrate that the organization performs vulnerability scans of internal systems at defined, appropriate intervals using authenticated methods where technically feasible, and that scan coverage encompasses all critical and in-scope assets.

Associated risks

Risks this control addresses

  • Exploitation of unpatched vulnerabilities due to infrequent or absent scanning, allowing lateral movement within the network
  • Credential-based attacks succeeding because weak or default passwords remain undetected without authenticated scan depth
  • Compliance violations and audit findings resulting from failure to meet regulatory scanning frequency requirements
  • Zero-day or newly disclosed vulnerabilities remaining unidentified for extended periods due to insufficient scan cadence
  • False sense of security from unauthenticated scans that miss kernel-level or application-layer flaws requiring privileged access
  • Data breach or ransomware incident originating from internal systems with exploitable CVEs that scanning would have flagged
  • Shadow IT or unmanaged devices operating without vulnerability visibility, creating unmonitored attack surface

Testing procedure

How an auditor verifies this control

  1. Obtain and review the organization's vulnerability management policy, including documented scan frequency requirements and authentication standards.
  2. Request a complete inventory of scanning tools deployed (e.g., Tenable, Qualys, Rapid7) and confirm licensure and operational status.
  3. Review scan schedules and automation configurations within the vulnerability management platform to verify programmed cadence matches policy.
  4. Pull scan history logs or dashboards for the prior 90 days and verify actual execution frequency for all asset groups (servers, workstations, databases, cloud instances).
  5. Select a representative sample of 10-15 internal assets across different segments and validate that authenticated scans were performed using service accounts or credential vaults.
  6. Examine authentication success rates within scan reports to confirm credentials are valid and scans achieve privileged access to target systems.
  7. Cross-reference asset inventory against scan targets to identify any systems excluded from scanning or missing from scope definitions.
  8. Interview IT operations or security engineering staff to confirm remediation workflows triggered by scan findings and validate that scan frequency accommodates remediation SLAs.
Evidence required Collect vulnerability management policy documents defining scan frequency and authentication requirements; configuration exports from scanning platforms showing scheduled scan jobs, credential stores, and asset group assignments; vulnerability scan reports and execution logs covering a 90-day trailing period with timestamps, authentication status, and asset coverage; asset inventory records cross-referenced to scanning scope; screenshots of dashboard views showing scan cadence compliance and authentication success rates.
Pass criteria Authenticated vulnerability scans are executed on all in-scope internal systems at intervals meeting or exceeding the organization's documented policy (typically at minimum monthly for general infrastructure and weekly for critical systems), with evidence of successful authentication on at least 90% of targeted assets and no scanning gaps exceeding the defined frequency in the trailing 90 days.