Perform periodic scans of organizational systems
π What This Means
This practice requires organizations to regularly scan their systems for vulnerabilities and other security issues. Think of it like a health check-up for your IT systemsβjust as you would visit a doctor periodically to ensure you're healthy, your systems need regular scans to ensure they're secure. These scans help identify weaknesses that could be exploited by hackers. For example, if your company uses outdated software, a scan will flag it so you can update it before it becomes a problem. Regular scans are a key part of maintaining a secure environment and protecting sensitive information.
π― Why It Matters
Failing to perform periodic scans can leave your systems vulnerable to attacks. According to a 2023 report, 60% of breaches occurred due to unpatched vulnerabilities. For defense contractors, this is especially critical because compromised systems can lead to the loss of sensitive government data, hefty fines, and damage to your reputation. The DoD emphasizes this control to ensure that defense contractors maintain a strong security posture. Without regular scans, you risk missing vulnerabilities that could be exploited, potentially leading to data breaches or compliance failures.
β How to Implement
- 1. Enable built-in vulnerability scanning tools in your cloud provider (e.g., AWS Inspector, Azure Security Center, GCP Security Command Center).
- 2. Configure scanning schedules to run at least weekly.
- 3. Set up alerts for critical vulnerabilities.
- 4. Integrate scan results with your ticketing system for remediation tracking.
- 5. Ensure scans cover all assets, including virtual machines, containers, and databases.
π Evidence Examples
Scanning schedule
Scan reports
Remediation tracking
Policy document
π SSP Guidance
Use this guidance when writing the System Security Plan (SSP) narrative for this control.
How to Write the SSP Narrative
For SI.L1-3.14.5 ("Perform periodic scans of organizational systems"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe your system and information integrity controls, including patch management process, antivirus/EDR deployment, email gateway protection, SIEM monitoring, and application security measures. Be specific -- name your actual products, settings, and responsible personnel.
Example SSP Narratives
"SI.L1-3.14.5 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to perform periodic scans of organizational systems. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."
"SI.L1-3.14.5 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to perform periodic scans of organizational systems. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."
"SI.L1-3.14.5 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."
System Boundary Considerations
- β’ Identify all systems requiring patch management within the CUI boundary
- β’ Document EDR/AV coverage across endpoints and servers
- β’ Specify SIEM monitoring coverage and alert rules
- β’ Ensure this control covers all systems within your defined CUI boundary where perform periodic scans of organizational systems applies
- β’ Document any systems where this control is not applicable and explain why
Key Documentation to Reference in SSP
- π System and Information Integrity Policy
- π Patch management reports
- π AV/EDR deployment records
- π SIEM alert configuration
- π Evidence artifacts specific to SI.L1-3.14.5
- π POA&M entry if control is not fully implemented
What the Assessor Looks For
The assessor will verify patch management SLAs are met, check AV/EDR deployment coverage (should be 100%), review SIEM alert rules and response times, and test that email gateway blocks malicious content.
π¬ Self-Assessment Questions
Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.
Question 1: Do you have a documented schedule for performing system scans?
Question 2: Are scans performed at least monthly?
Question 3: Do you review and remediate scan results promptly?
Question 4: Are scan reports and remediation actions documented?
Question 5: Do you have a policy outlining scanning procedures?
β οΈ Common Mistakes (What Auditors Flag)
1. Not scanning all systems
2. Infrequent scans
3. Ignoring scan results
4. Incomplete documentation
5. Not updating scanning tools
π Parent Policy
This practice is governed by the System and Information Integrity Policy