NIST SP 800-171 Rev.2 and CMMC 2.0 Level 2 Control RA.L2-3.11.2 require organizations handling Controlled Unclassified Information (CUI) to identify, prioritize, and remediate vulnerabilities in a timely manner; integrating your vulnerability scanners with patch management and ticketing systems is the most practical, auditable way to meet that requirement and materially reduce risk. This post walks through an implementation-focused approach tailored to small and growing organizations, with specific technical details, SLA examples, automation patterns, and evidence you can present for compliance.
Implementation overview β what to build and why
Start with four capabilities: (1) accurate asset inventory and CMDB linkage, (2) regular vulnerability discovery (agent and/or authenticated scans), (3) automated creation and enrichment of remediation tickets, and (4) automated or orchestrated patch deployment with post-remediation verification. For RA.L2-3.11.2 the emphasis is not only finding issues but demonstrating a repeatable, documented remediation lifecycle β scanner output must become tickets with owners, target dates, remediation steps, and verification evidence.
Technical architecture and practical integration details
Recommended architecture: scanner(s) -> enrichment/normalization layer -> ticketing system -> patch/orchestration tool -> verification scan -> ticket closure. Key implementation details: use scanner APIs (Tenable, Qualys, Rapid7, or Greenbone/OpenVAS) to pull standardized fields (CVE, CVSS, EPSS score, scanner ID, first-seen/last-seen). Enrich records with CMDB fields (business owner, asset criticality, OS, patch group, maintenance window). Map vulnerability fields to ticket fields: asset identifier, IP, CVE, CVSS score, exploitability evidence, suggested remediation (KB number, package name), links to vendor advisories, and remediation scripts or runbooks. Use a middleware (an integration platform, a small custom service, or SOAR) to normalize payloads into the ticketing systemβs API format (Jira, ServiceNow, Zendesk, Freshservice) and to set assignment rules based on asset ownership tags.
Prioritization rules, SLAs, and automation playbooks
Define objective prioritization combining CVSS, exploitability (EPSS or presence of public exploit), asset criticality, and data sensitivity (does it process CUI?). Example SLA policy small businesses can use as a starting point: critical (CVSSβ₯9 or known exploit affecting CUI systems) β remediation or compensating control within 48 hours; high (CVSS 7.0β8.9) β remediate within 7 days; medium (CVSS 4.0β6.9) β remediate within 30 days; low (<4.0) β remediate within 90 days. Automate playbooks for common remediation tasks: Windows patching via WSUS/MECM or Patch Manager, Linux via Ansible playbooks (apt/yum/zypper), network device firmware updates via vendor APIs or secure CLI scripts, and web application updates via CI/CD pipelines. For critical evidence, configure the ticket to require a post-remediation verification scan result and attach both the pre- and post-scan exports (scanner ID, timestamps, hashes of reports) before closure.
Small-business scenario: example workflow
Example: AcmeTech is a 50-employee contractor with two Windows servers, two Linux servers, 60 endpoint laptops, and a single DMZ web server. They run Greenbone/OpenVAS weekly authenticated scans for servers and agent-based daily scans for endpoints using a lightweight agent. When a scanner finds MS-SMB remote-code-execution vulnerability on an internal file server, the integration layer posts a ticket in Jira with asset tags, CVE-IDs, affected IPs, recommended KB numbers, and assigns it to the server admin group. The ticket includes an Ansible playbook link to deploy the patch during the nightly maintenance window; once Ansible reports success, the integration triggers a targeted re-scan. If the vulnerability no longer appears, the re-scan artifact is attached and the ticket auto-closes; if it persists, the ticket escalates per the SLA. This tight loop creates a clear audit trail tied to RA.L2-3.11.2: discovery β ticket β remediation β verification.
Evidence collection, metrics and audit readiness
For compliance evidence gather: raw scanner exports (CSV/JSON) with timestamps, ticket records with assignment and status history, remediation artifacts (patch logs, orchestration runbooks, console output), verification scan outputs, and any approved exceptions or risk acceptance documents. Track KPIs like Mean Time to Remediate (MTTR) by severity, percent remediated within SLA, and open-vulnerabilities over time. Store these artifacts in an immutable audit repository or configuration-management database for the retention period required by contracting authorities (commonly 1β3 years). Demonstrating repeatable, auditable workflows is as important as low vulnerability counts when auditors assess RA.L2-3.11.2 compliance.
Risks of not integrating and exception handling
Failing to integrate scanning with patching and ticketing increases dwell time for exploitable vulnerabilities, raises the likelihood of CUI exposure, and can lead to contract penalties, suspension of DoD business, or regulatory fines. Operationally, the biggest risks are human delays (tickets not created or assigned), lack of verification (patch applied but not validated), and poor evidence retention. Implement an exception workflow: require documented compensating controls (network segmentation, WAF rules, IDS signatures) and a formal time-boxed risk acceptance signed by a senior manager; re-evaluate exceptions quarterly.
Best practices and operational tips
Operational tips: maintain a current CMDB (automate discovery), schedule both agent and authenticated scans (agents for frequency, authenticated for depth), test patches in a staging ring before wide deployment, use canary rollouts and automated rollback strategies, and keep humans in the loop for high-impact changes. Prioritize automation for low-risk, repetitive fixes (auto-patch and auto-close after verification) and require manual approval for changes affecting production CUI systems. Finally, combine scanner-derived priority with business context so that a medium CVSS issue on a CUI-processing server can be triaged higher than a high CVSS finding on a lab workstation.
In summary, meeting RA.L2-3.11.2 requires more than regular scans β it requires a closed-loop, auditable remediation lifecycle. Small organizations can achieve this by integrating scanners with a CMDB-backed ticketing system and a patch orchestration tool, defining objective SLAs and prioritization rules, automating verification scans, and retaining evidence for audits; doing so materially reduces risk to CUI and demonstrates compliance in a way auditors and contracting officers can verify.
