GRCWatch
Sign inStart free trial

CIS Control 7.6: Automated Vulnerability Scanning of Externally-Exposed Assets

External-facing systems are your highest-risk attack surface. CIS Control 7.6 requires automated, regular vulnerability scanning to catch misconfigurations and exposures before attackers do. For SMBs with lean security teams, this control is foundational to proactive threat detection.

What this means

You must deploy a SCAP-compliant vulnerability scanner that automatically identifies weaknesses in internet-facing infrastructure—including web applications, APIs, cloud services, and network appliances. Monthly scans are the minimum; higher-risk organizations should scan weekly or continuously. The goal is systematic discovery and prioritization of exploitable flaws before external threat actors find them.

How to comply

  1. 1.Select a SCAP-compliant vulnerability scanning tool (e.g., Qualys, Rapid7, OpenVAS, Tenable Nessus) that covers your asset types
  2. 2.Define the scope: inventory all externally-exposed systems (public IPs, cloud instances, SaaS integrations, APIs, web portals)
  3. 3.Configure automated scans to run at minimum monthly; increase frequency for critical assets or after deployments
  4. 4.Set baseline vulnerability thresholds and escalation paths for high/critical findings
  5. 5.Integrate scan results with your asset management and incident response workflows
  6. 6.Document scan schedules, tools, and remediation timelines in your vulnerability management policy
  7. 7.Review scan results within SLA windows and track remediation metrics

Evidence auditors look for

  • Signed vulnerability scanning tool subscription or license with SCAP compliance certification
  • Scan configuration documentation showing asset scope, frequency (monthly+), and scheduling
  • Automated scan reports from the past 90 days with timestamps, asset coverage, and severity counts
  • Vulnerability remediation log showing identified issues, assigned owners, and closure dates
  • Scan result integration screenshots showing import into ticketing or asset management systems
  • Policy document defining vulnerability management roles, scan cadence, and remediation SLAs

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates vulnerability scan scheduling, result aggregation, and remediation tracking across your external infrastructure—connecting scan findings directly to audit evidence and compliance reporting so you prove CIS 7.6 compliance without manual log wrangling.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS 2.1 (Software inventory and control)CIS 6.1 (Establish asset management program)CIS 7.5 (Use risk-based approach to vulnerability management)CIS 7.7 (Remediation of vulnerability findings)