As described by NIST, vulnerability scanning is a technique used to identify hosts/host attributes and associated vulnerabilities. (Source) NIST suggests that companies employ vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: Enumerating platforms, software flaws, and improper configurations; Formatting checklists and test procedures; and Measuring vulnerability impact. (Source)

Implementation

• Assured Compliance Assessment Solution (ACAS)

  ACAS consists of a suite of products to include the Security Center, Nessus Scanner and the Nessus Network Monitor which is provided by DISA to DoD Customers at no cost.

• Credentialed Vulnerability Scanning

  This brief slideshow presentation discusses general vulnerability concepts and stresses the importance of using administrator credentials for scanning.

• Introduction to Vulnerability Scanning Video

  In this video a security engineer introduces the viewer to NIST SP 800-171 Control 3.11.2 and vulnerability scanning.
• Open Web Application Security Project (OWASP) – Vulnerability Scanning Tools

  Open Web Application Security Project (OWASP) provides a list of commercial and free vulnerability scanning tools for various platforms.

• SANS Whitepaper – Implementing a Vulnerability Management Process

  This SANS whitepaper looks at how a vulnerability management process could be designed and implemented within an organization.

• SANS Whitepaper – Vulnerabilities & Vulnerability Scanning

  This SANS whitepaper discusses the benefits and pitfalls of Vulnerability Scanning suggests an approach suitable for small and medium-sized businesses.

• State of Alabama – Vulnerability Scanning Policy

  The policy below is an example from the state of Alabama of a vulnerability scanning policy.

Assessment

• BrightTALK – Is Your Vulnerability Management Program Vulnerable?

  In this two part webinar from BrightTALK discusses key challenges and pitfalls most vulnerability management programs face.

• National Cybersecurity Assessments and Technical Services (NCATS)

  NCATS is a service from the DHS that performs regular network and vulnerability scans and delivers a weekly report for your action.
• NIST Handbook 162 NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements

  This Handbook provides a step-by-step guide to assessing a small manufacturer’s information systems against the security requirements in NIST SP 800-171 rev 1.

• NIST SP 800-115 Technical Guide to Information Security Testing and Assessment

  This NIST Special Publication is a guide to the basic technical aspects of conducting information security assessments.

• NIST SP 800-171A Assessing Security Requirements for Controlled Unclassified Information

  The purpose of this publication is to provide procedures for assessing the CUI requirements in NIST Special Publication 800-171.