Vulnerability scanning uses software to attempt to connect to hosts in the specified range of ports.  When the scanner detects that the port is open, it will try to identify if the software opening the port on the server is vulnerable to a list of known vulnerabilities. If the system proves to be vulnerable, it is added to the report.

The information from a vulnerability scan can be used to either attack the system using known weaknesses or to create a list of vulnerabilities to be addressed.

They want your organization to be scanning your external systems so that vulnerabilities are discovered and addressed by you before they can be exploited.

It is expected that external vulnerability scanning is included in your security plans.  You may include it in the vulnerability management plan or other policies.

Internal vulnerability scanning is the use of a vulnerability scanner to scan the internal networks for vulnerabilities. The vulnerability scanner uses a set of rules to look for vulnerabilities caused by software weaknesses or misconfigured services.

The regular use of vulnerability scanners can help to detect vulnerabilities before they are  exploited by malicious users or external parties. Vulnerability scanning is part of a comprehensive security policy.

They expect regular, automated scans by an updated vulnerability scanner. This should be part of the security policies and procedures. The procedures should include updating the scanner and ruleset on a frequent basis to ensure that the latest vulnerabilities are detected.