The Chief Information Officer should enforce current guidance to conduct periodic reviews of the scanning exception list to ensure that vulnerability scanning exceptions are properly documented and devices lacking required documentation are added back to the vulnerability scanning footprint as required.