This post shows a practical, small-business-focused approach to discover and scan every device class—servers, desktops, laptops, virtual machines, containers, firewalls, switches, printers—for compliance with NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control RA.L2-3.11.2, with concrete tool choices, scan configurations, credentialing options, remediation workflows, and audit evidence you can implement this quarter.
What RA.L2-3.11.2 requires and key objectives
RA.L2-3.11.2 requires organizations to regularly scan systems and devices for vulnerabilities and take action on findings so that Controlled Unclassified Information (CUI) and mission systems remain protected; in practice that means an accurate asset inventory, routine authenticated scans where possible, image/container scanning in CI/CD, network-device and IoT scanning with suitable protocols (SNMP/SSH/API), documented remediation timelines, and evidence (scan reports, tickets, POA&Ms) kept in your System Security Plan (SSP).
Step 1 — Build and maintain a complete asset inventory
Start by enumerating every device type. For a small business (50–200 seats) use an asset inventory that combines an automated discovery tool (Nmap, Masscan, or your vulnerability scanner's network discovery) with endpoint management sources (Microsoft Intune, Jamf, SCCM, cloud asset APIs). Tag assets by type (server, desktop, laptop, VM, container Image, firewall, switch, printer), owner, location, and whether they process CUI. Without this inventory you cannot prove coverage to an assessor; export it into your SSP and map each asset to a scan schedule.
Step 2 — Choose scanning approaches and tools for each device class
Use a mix of enterprise scanners and targeted tools: Tenable Nessus/IO, Qualys VMDR, Rapid7 Nexpose for broad coverage; Trivy/Clair/Anchore for container image scanning; AWS Inspector/Azure Defender for cloud native VMs; Nmap + NSE and OpenVAS as low-cost/OSS options. For network devices and printers use vendor APIs, SSH credentialed checks, and SNMPv3 where supported. Example small-business stack: Tenable.io for network/host scanning, Trivy in CI pipelines for images, and Amazon Inspector for cloud workloads—this covers most device classes.
Authenticated vs agentless scanning and credential details
Authenticated scans dramatically lower false positives and reveal missing patches or vulnerable packages. For Linux/VMs use SSH keys or per-scan user accounts (key-based auth), limit that account to read-only operations. For Windows use WinRM or SMB with local or domain credentials (prefer a readonly service account). For network gear use SSH with dedicated read-only accounts or vendor APIs (e.g., Palo Alto PAN-OS API keys). For SNMP devices use SNMPv3 with encryption; avoid SNMPv1/2 where possible. Store credentials in a secrets manager and configure your scanner to pull them securely.
Container and VM specifics
For containers, scan images at build time (Trivy, Clair, Anchore) and enforce blocking of high/critical images in your registry. Add runtime detection (Falco, Aqua) to discover containers created outside CI. For VMs treat them like servers—ensure the VM agent or cloud-native scanner runs in the guest or use API-driven scans from the cloud control plane. For ephemeral containers/VMs integrate scanning into CI/CD to satisfy the "scanned before deployment" requirement and produce artifacts (scan reports) for audits.
Step 3 — Scheduling, severity thresholds, remediation workflow, and evidence
Define scan frequency: full authenticated scans at least monthly for servers and endpoints, weekly or continuous for internet-facing assets, image scanning at every build, and immediate scans after major changes. Map CVSS or your risk thresholds to SLAs: Critical (CVSS >= 9.0) remediate or mitigate within 15 days, High (7.0–8.9) within 30 days, Medium within 60–90 days—document these in policy. Integrate scanning results into a ticketing system (Jira, ServiceNow) and produce a POA&M for exceptions. Retain historical scan reports and remediation tickets for at least one year to show trend and remediation evidence to assessors.
Practical examples and small-business scenarios
Example 1: A 40-seat engineering company with hybrid cloud: deploy Tenable.io as SaaS, configure SSH and WinRM credentials, use Trivy in GitHub Actions to block vulnerable images, and run weekly authenticated scans of on-prem servers. Example 2: A small MSP managing clients with switches and printers: use Nmap discovery, enable SNMPv3 on managed switches, collect firmware versions in the inventory, and run quarterly config compliance scans plus monthly vulnerability scans for devices that host CUI. Document exceptions (e.g., legacy printers) in the SSP with compensating controls like network segmentation and limited access.
Risks of not implementing comprehensive scanning
Failing to scan every device creates blind spots attackers exploit — unpatched printers and switches, vulnerable containers in registries, or unmanaged VMs can lead to lateral movement, CUI exfiltration, and supply-chain compromise. For companies seeking DoD contracts, non-compliance can mean lost bids, mandatory remediation orders, or termination of existing contracts. From an operational perspective unscanned vulnerabilities increase incident response time and recovery costs substantially.
In summary, meeting RA.L2-3.11.2 is achievable for small businesses by building a verified asset inventory, using a blend of authenticated scanners and container tools, integrating scans into CI/CD and cloud-native services, defining remediation SLAs and workflows, and keeping auditable evidence in your SSP and POA&M; prioritize credentialed scans and patching, document exceptions, and demonstrate continuous monitoring to satisfy auditors and reduce real-world risk.
