Final answer:
Federal agencies must conduct vulnerability scanning on all systems regardless of impact level, including high-, moderate-, or low-impact systems, to ensure comprehensive security and timely mitigation of vulnerabilities.
Step-by-step explanation:
When it comes to vulnerability scanning programs within federal agencies, such programs are not limited to systems with a specific level of impact or those containing classified information. Instead, vulnerability scanning is critical in safeguarding all types of information systems regardless of their impact level. This is due to the potential for any system to be exploited and possibly serve as a gateway to more sensitive systems or data. Therefore, the correct answer to which systems must be covered by vulnerability scanning programs is:
D. High-, Moderate-, or Low-Impact Systems
.
By regularly scanning systems at all impact levels, federal agencies ensure that vulnerabilities are identified and mitigated timely, thus maintaining the integrity, confidentiality, and availability of their information systems against potential threats.