NIST SP 800-171 & CMMC 2.0 - 3.11.1

Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of “Controlled Unclassified Information” (CUI).

NIST SP 800-171 & CMMC 2.0 - 3.11.2

Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Solutions like Nessus can be used to meet this requirement. Ensure that you scan for vulnerabilities on all devices connected to the network including servers, desktops, laptops, virtual machines, containers, firewalls, switches, and printers

NIST SP 800-171 & CMMC 2.0 - 3.11.3

Remediate vulnerabilities in accordance with risk assessments.