NIST provides explicit requirements for vulnerability scanning under Control RA-5: Vulnerability Scanning.
a. Scan for vulnerabilities in the information system and hosted applications and when new vulnerabilities potentially affecting the system/applications are identified and reported;
b. Employ vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
- Enumerate platforms, software flaws, and improper configurations;
- Format checklists and test procedures; and
- Measure vulnerability impact;
c. Analyze vulnerability scan reports and results from security control assessments;
d. Remediate legitimate vulnerabilities in accordance with an organizational assessment of risk; and
e. Share information obtained from the vulnerability scanning process and security control assessments internally to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).