3.11.2 Scan for vulnerabilities in organizational system and applications periodically and when new vulnerabilities affecting the system are identified. Is a formal written policy in place requiring regular vulnerability scans? Is the frequency to scan for vulnerabilities defined? Are vulnerability scans performed on systems that process, store, or transmit CDI/CUI? Are vulnerability scans performed on organizational systems that process, store, or transmit CDI/CUI when new vulnerabilities are identified? Is the list of scanned system vulnerabilities updated on a defined frequency or when new vulnerabilities are identified and reported?.