Skip to main content

VPM-06: Vulnerability Scanning

VPM 9 — Critical Detect

Mechanisms exist to detect vulnerabilities and configuration errors by routine vulnerability scanning of systems and applications.

Control Question: Does the organization detect vulnerabilities and configuration errors by routine vulnerability scanning of systems and applications?

General (53)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC3.2-POF7 CC3.4-POF6 CC7.1 CC7.1-POF5 CC9.2-POF13
CIS CSC 8.1 7.5 7.6
CIS CSC 8.1 IG2 7.5 7.6
CIS CSC 8.1 IG3 7.5 7.6
COBIT 2019 DSS05.07
CSA CCM 4 TVM-03 TVM-07
CSA IoT SCF 2 VLN-04
GovRAMP Core RA-05
GovRAMP Low RA-05
GovRAMP Low+ RA-05
GovRAMP Moderate RA-05
GovRAMP High RA-05
IMO Maritime Cyber Risk Management 3.5.2.3
ISO 27002 2022 8.8
MITRE ATT&CK 10 T1011.001, T1021.001, T1021.003, T1021.004, T1021.005, T1021.006, T1046, T1047, T1052, T1052.001, T1053, T1053.001, T1053.002, T1053.003, T1053.005, T1059, T1059.001, T1059.005, T1059.007, T1068, T1078, T1091, T1092, T1098.004, T1127, T1127.001, T1133, T1137, T1137.001, T1176, T1190, T1195, T1195.001, T1195.002, T1204.003, T1210, T1211, T1212, T1213, T1213.001, T1213.002, T1213.003, T1218, T1218.003, T1218.004, T1218.005, T1218.008, T1218.009, T1218.012, T1218.013, T1218.014, T1221, T1482, T1484, T1505, T1505.001, T1505.002, T1505.003, T1505.004, T1525, T1528, T1530, T1542.004, T1542.005, T1543, T1546.002, T1546.014, T1547.006, T1547.007, T1547.008, T1548, T1548.002, T1548.003, T1552, T1552.001, T1552.002, T1552.004, T1552.006, T1557, T1558.004, T1559, T1559.002, T1560, T1560.001, T1562, T1562.010, T1563, T1563.001, T1563.002, T1574, T1574.001, T1574.004, T1574.005, T1574.007, T1574.008, T1574.009, T1574.010, T1578, T1578.001, T1578.002, T1578.003, T1612
MPA Content Security Program 5.1 TS-4.0
NIST AI 600-1 MS-2.6-007
NIST 800-53 R4 RA-5
NIST 800-53 R4 (low) RA-5
NIST 800-53 R4 (moderate) RA-5
NIST 800-53 R4 (high) RA-5
NIST 800-53 R5 (source) RA-5
NIST 800-53B R5 (low) (source) RA-5
NIST 800-53B R5 (moderate) (source) RA-5
NIST 800-53B R5 (high) (source) RA-5
NIST 800-82 R3 LOW OT Overlay RA-5
NIST 800-82 R3 MODERATE OT Overlay RA-5
NIST 800-82 R3 HIGH OT Overlay RA-5
NIST 800-161 R1 RA-5
NIST 800-161 R1 C-SCRM Baseline RA-5
NIST 800-161 R1 Flow Down RA-5
NIST 800-161 R1 Level 2 RA-5
NIST 800-161 R1 Level 3 RA-5
NIST 800-171 R2 (source) 3.11.2
NIST 800-171A (source) 3.11.2[a] 3.11.2[b] 3.11.2[c] 3.11.2[d] 3.11.2[e]
NIST 800-171 R3 (source) 03.11.02.a
NIST 800-171A R3 (source) A.03.11.02.ODP[01] A.03.11.02.ODP[02] A.03.11.02.ODP[04] A.03.11.02.a[01] A.03.11.02.a[02] A.03.11.02.a[03] A.03.11.02.a[04] A.03.11.02.c[01] A.03.11.02.c[02]
NIST CSF 2.0 (source) ID.RA-01
OWASP Top 10 2021 A05:2021 A06:2021
PCI DSS 4.0.1 (source) 6.4.1 11.3 11.3.1 11.3.1.1 11.3.1.2 11.3.1.3 11.3.2 11.3.2.1
PCI DSS 4.0.1 SAQ A (source) 11.3.2 11.3.2.1
PCI DSS 4.0.1 SAQ A-EP (source) 6.4.1 11.3.2 11.3.2.1
PCI DSS 4.0.1 SAQ B-IP (source) 11.3.2
PCI DSS 4.0.1 SAQ C (source) 11.3.1 11.3.1.3 11.3.2 11.3.2.1
PCI DSS 4.0.1 SAQ D Merchant (source) 6.4.1 11.3.1 11.3.1.1 11.3.1.2 11.3.1.3 11.3.2 11.3.2.1
PCI DSS 4.0.1 SAQ D Service Provider (source) 6.4.1 11.3.1 11.3.1.1 11.3.1.2 11.3.1.3 11.3.2 11.3.2.1
SPARTA CM0008 CM0011
SWIFT CSF 2023 2.7
SCF CORE Fundamentals VPM-06
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) VPM-06
SCF CORE ESP Level 1 Foundational VPM-06
SCF CORE ESP Level 2 Critical Infrastructure VPM-06
SCF CORE ESP Level 3 Advanced Threats VPM-06
US (32)
Framework Mapping Values
US C2M2 2.1 THREAT-1.B.MIL1 THREAT-1.C.MIL1 THREAT-1.D.MIL1 THREAT-1.F.MIL2 THREAT-1.K.MIL3
US CERT RMM 1.2 MON:SG2.SP1 MON:SG2.SP2 MON:SG2.SP3 MON:SG2.SP4 VAR:SG2.SP1 VAR:SG2.SP2 VAR:SG2.SP3 VAR:SG3.SP1 VAR:SG4.SP1
US CMMC 2.0 Level 2 (source) RA.L2-3.11.2
US CMMC 2.0 Level 3 (source) RA.L2-3.11.2
US CMS MARS-E 2.0 RA-5
US DHS CISA TIC 3.0 3.UNI.VMANG
US DHS ZTCF EPM-02
US FedRAMP R4 RA-5
US FedRAMP R4 (low) RA-5
US FedRAMP R4 (moderate) RA-5
US FedRAMP R4 (high) RA-5
US FedRAMP R4 (LI-SaaS) RA-5
US FedRAMP R5 (source) RA-5
US FedRAMP R5 (low) (source) RA-5
US FedRAMP R5 (moderate) (source) RA-5
US FedRAMP R5 (high) (source) RA-5
US FedRAMP R5 (LI-SaaS) (source) RA-5
US FFIEC D3.DC.Th.E.5
US GLBA CFR 314 2023 (source) 314.4(d)(2) 314.4(d)(2)(ii)
US HIPAA HICP Small Practice 2.S.A 7.S.A
US HIPAA HICP Medium Practice 7.M.A 7.M.B
US HIPAA HICP Large Practice 7.M.A 7.M.B 7.L.A 9.L.A 9.L.B
US IRS 1075 RA-5
US NERC CIP 2024 (source) CIP-010-4 3.1 CIP-010-4 3.2.1 CIP-010-4 3.2.2 CIP-010-4 3.3 CIP-010-4 3.4
US NISPOM 2020 8-614
US SSA EIESR 8.0 5.6
US - CA CCPA 2025 7123(c)(5)(D) 7123(c)(6)
US - NY DFS 23 NYCRR500 2023 Amd 2 500.5(a)(2)
US - OR 646A 622(2)(B)(iii) 622(2)(d)(A)(iii)
US - TX DIR Control Standards 2.0 RA-5
US - TX TX-RAMP Level 1 RA-5
US - TX TX-RAMP Level 2 RA-5
EMEA (11)
Framework Mapping Values
EMEA EU DORA 25.1 25.2 25.3
EMEA EU NIS2 Annex 6.10.2(b)
EMEA Germany Banking Supervisory Requirements for IT (BAIT) 5.6
EMEA Germany C5 2020 OPS-22 PSS-02 PSS-03
EMEA Israel CDMO 1.0 3.4 9.25 12.30 22.3 22.6
EMEA Saudi Arabia CSCC-1 2019 2-9-1-1 2-9-2
EMEA Saudi Arabia IoT CGIoT-1 2024 2-9-1
EMEA Saudi Arabia ECC-1 2018 2-10-3-1
EMEA Saudi Arabia SACS-002 TPC-85
EMEA UAE NIAF 3.1.3
EMEA UK DEFSTAN 05-138 2402
APAC (7)
Framework Mapping Values
APAC Australia Essential 8 ML1-P1 ML1-P2 ML2-P1 ML2-P2 ML3-P1 ML3-P2
APAC Australia ISM June 2024 ISM-1163 ISM-1698 ISM-1699 ISM-1700 ISM-1701 ISM-1702 ISM-1703 ISM-1752
APAC India SEBI CSCRF ID.RA.S1
APAC New Zealand HISF 2022 HHSP26 HHSP59 HML26 HML59 HSUP51
APAC New Zealand HISF Suppliers 2023 HSUP51
APAC New Zealand NZISM 3.6 6.2.5.C.01
APAC Singapore MAS TRM 2021 13.1.1 13.1.2
Americas (4)
Framework Mapping Values
Americas Bermuda BMACCC 6.15
Americas Canada CSAG 2.5
Americas Canada OSFI B-13 3.1.2 3.1.3
Americas Canada ITSP-10-171 03.11.02.A

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to detect vulnerabilities and configuration errors by routine vulnerability scanning of systems and applications.

Level 1 — Performed Informally

Vulnerability & Patch Management (VPM) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Attack Surface Management (ASM) is decentralized.
  • IT personnel apply software patches through an informal process.
  • Occasional vulnerability scanning is conducted on High Value Assets (HVAs).
  • Vulnerability scanning services may not be internal competencies and have to be outsourced.
Level 2 — Planned & Tracked

Vulnerability & Patch Management (VPM) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls to address applicable statutory, regulatory and contractual requirements for ASM. o Apply software patches and other vulnerability remediation efforts.

  • Attack Surface Management (ASM) is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel:
  • Administrative processes and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.
Level 3 — Well Defined

Vulnerability & Patch Management (VPM) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Defines the scope of ASM activities. o Provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data with regards to ASM. o Provides oversight of ASM activities to centrally manage the flaw remediation process as part of the organization's overall Patch& Vulnerability & Patch Management Program (VPMP). o Manages the identification, tracking and remediation of vulnerabilities. o Utilizes a Security Incident Event monitor (SIEM), or similar automated tool, to monitor for unauthorized activities, accounts, connections, devices and software according to organization-specific Indicators of Compromise (IoC), including feeds from applications, hosts, network devices and vulnerability scanners.

  • An IT Asset Management (ITAM) function, or similar function, categorizes devices according to the data the asset stores, transmits and/ or processes and applies the appropriate technology controls to protect the asset and data.
  • A Governance, Risk & Compliance (GRC) function, or similar function:
  • A Security Operations Center (SOC), or similar function:
  • Asset custodians install the latest stable version of security-related updates on all systems within the organization-defined time requirements.
  • Comprehensive vulnerability scanning is utilized to detect vulnerabilities and configuration errors for systems, applications and services across the enterprise. Scanning is performed in accordance with statutory, regulatory and contractual obligations for scope, recurrence and rescanning.
Level 4 — Quantitatively Controlled

Vulnerability & Patch Management (VPM) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
  • Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
  • Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
  • Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
  • Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
  • Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving

Vulnerability & Patch Management (VPM) efforts are “world-class” capabilities that leverage predictive analysis (e.g., machine learning, AI, etc.). In addition to CMM Level 4 criteria, CMM Level 5 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions.
  • Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes.

Assessment Objectives

  1. VPM-06_A01 the frequency at which the system is scanned for vulnerabilities is defined.
  2. VPM-06_A02 response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined.
  3. VPM-06_A03 personnel or roles with whom information obtained from the vulnerability scanning process and control assessments areto be shared.
  4. VPM-06_A04 vulnerability scan reports and results from vulnerability monitoring are analyzed.
  5. VPM-06_A05 systems and hosted applications are scanned for vulnerabilities frequently and/or randomly in accordance with organization-defined process and when new vulnerabilities potentially affecting the system are identified and reported.
  6. VPM-06_A06 vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools.
  7. VPM-06_A07 vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws and improper configurations.
  8. VPM-06_A08 vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures.
  9. VPM-06_A09 vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact.
  10. VPM-06_A10 the system is scanned for vulnerabilities per an organization-defined frequency.
  11. VPM-06_A11 vulnerability scans are performed on applications with the defined frequency.
  12. VPM-06_A12 the system is monitored for vulnerabilities when new vulnerabilities that affect the system are identified.
  13. VPM-06_A13 the system is scanned for vulnerabilities when new vulnerabilities that affect the system are identified.
  14. VPM-06_A14 legitimate vulnerabilities are remediated response times in accordance with an organizational assessment of risk.
  15. VPM-06_A15 information obtained from the vulnerability monitoring process and control assessments is shared with personnel or roles to help eliminate similar vulnerabilities in other systems.
  16. VPM-06_A16 vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed.
  17. VPM-06_A17 the frequency at which to update system vulnerabilities to be scanned is defined.
  18. VPM-06_A18 the system is monitored for vulnerabilities per an organization-defined frequency.
  19. VPM-06_A19 system vulnerabilities to be scanned are updated per an organization-defined frequency.
  20. VPM-06_A20 system vulnerabilities to be scanned are updated when new vulnerabilities are identified and reported.
  21. VPM-06_A21 the frequency at which the system is monitored for vulnerabilities is defined.
  22. VPM-06_A22 the system is monitored for vulnerabilities <A.03.11.02.ODP[01]: frequency>.
  23. VPM-06_A23 the system is scanned for vulnerabilities <A.03.11.02.ODP[02]: frequency>.
  24. VPM-06_A24 system vulnerabilities to be scanned are updated <A.03.11.02.ODP[04]: frequency>.

Evidence Requirements

E-VPM-05 Vulnerability Assessments

Documented evidence of internal and external vulnerability assessment activities.

Vulnerability Management

Technology Recommendations

Micro/Small

  • External vulnerability scans (unauthenticated)
  • Internal vulnerability scans (authenticated)
  • Nessus (https://tenable.com)
  • Qualys (https://qualys.com)
  • Rapid7 (https://rapid7.com)

Small

  • External vulnerability scans (unauthenticated)
  • Internal vulnerability scans (authenticated)
  • Nessus (https://tenable.com)
  • Qualys (https://qualys.com)
  • Rapid7 (https://rapid7.com)

Medium

  • External vulnerability scans (unauthenticated)
  • Internal vulnerability scans (authenticated)
  • Nessus (https://tenable.com)
  • Qualys (https://qualys.com)
  • Rapid7 (https://rapid7.com)

Large

  • External vulnerability scans (unauthenticated)
  • Internal vulnerability scans (authenticated)
  • Nessus (https://tenable.com)
  • Qualys (https://qualys.com)
  • Rapid7 (https://rapid7.com)

Enterprise

  • External vulnerability scans (unauthenticated)
  • Internal vulnerability scans (authenticated)
  • Nessus (https://tenable.com)
  • Qualys (https://qualys.com)
  • Rapid7 (https://rapid7.com)

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free