CIS Control 7.5: Perform Automated Vulnerability Scans of Internal Enterprise Assets
Vulnerability scanning is your first line of defense against exploitation of known security weaknesses. CIS Control 7.5 requires organizations to conduct regular, automated scans of internal assets using SCAP-compliant tools to identify and prioritize remediation efforts before attackers can exploit them.
What this means
CIS Control 7.5 mandates that organizations scan their internal enterprise assets for vulnerabilities at least quarterly using automated, SCAP-compliant scanning tools. These scans must include both authenticated scans (with credentials to assess deeper system configurations) and unauthenticated scans (simulating external attacker perspective). The goal is to discover known vulnerabilities in operating systems, applications, and services before they can be exploited, enabling your team to prioritize and remediate critical exposures.
How to comply
- 1.Select and deploy a SCAP-compliant vulnerability scanning tool that supports both authenticated and unauthenticated scanning capabilities
- 2.Define your internal asset inventory, including servers, workstations, network devices, and applications to be scanned
- 3.Configure authenticated scans with appropriate service accounts that have sufficient permissions to assess system configurations and installed software
- 4.Establish unauthenticated scanning credentials and network access to simulate external reconnaissance
- 5.Schedule automated scans to run at minimum quarterly, with monthly or continuous scanning preferred for high-risk assets
- 6.Document scan policies, including scope, frequency, and remediation timelines for identified vulnerabilities
- 7.Establish a process to review scan results, prioritize findings by severity, and assign remediation tasks to relevant teams
- 8.Track remediation efforts and re-scan to verify that vulnerabilities have been addressed
- 9.Maintain audit logs of all scans, results, and remediation activities for compliance evidence
Evidence auditors look for
- Vulnerability scan reports showing quarterly scans with timestamps and asset coverage
- SCAP scanner configuration documentation specifying authenticated and unauthenticated scan parameters
- Scan scheduling records demonstrating at least quarterly execution frequency
- Vulnerability remediation tracking logs linking scan findings to remediation tickets and closure dates
- Service account documentation used for authenticated scans with justification for permissions granted
- Network segmentation and firewall rules enabling scanner access to internal assets
- Comparison reports showing scan results across multiple quarters to demonstrate ongoing vulnerability management
- Remediation SLA documentation defining response timeframes for Critical, High, Medium, and Low severity findings
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates vulnerability scan scheduling, aggregates results from SCAP-compliant tools, tracks remediation workflows, and generates audit-ready evidence of quarterly scans—eliminating manual tracking and proof-of-compliance headaches.
See how GRCWatch handles this control automatically
Start free trial