Tenable Vulnerability Management

Security configuration guide covering admin accounts, MFA, SAML SSO, API keys, linking keys, activity logs, and vulnerability prioritization.

NIST SP 800-40r4 §2.1: "Patching is one of several ways to respond to risks from software vulnerabilities." §3.2: "Organizations should approach patching from a per-asset perspective... Each asset has technical and mission/business characteristics that should be taken into consideration." §3.5: "Organizations should define a maintenance plan for each maintenance group for each applicable risk response scenario." Tenable VPR (Vulnerability Priority Rating) aligns with NIST risk-based prioritization guidance.

NIST SP 800-137 §1: "Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions." §2.3: "Tools supporting automated monitoring of some aspects of information systems have become an effective means for both data capture and data analysis. Ease of use, accessibility, and broad applicability across products and across vendors help to ensure that monitoring tools can be readily deployed in support of near real-time, risk-based decision making." Tenable provides continuous vulnerability assessment supporting ISCM programs.

NIST SP 800-115 Abstract: "Provides organizations with recommendations for designing, implementing, and maintaining technical information security testing and assessment processes." §3.1: "Vulnerability scanning is used to identify vulnerabilities in hosts and their services, and can be used to identify outdated software versions, missing patches, and misconfigurations." §4.2: "Target identification and analysis techniques help organizations determine the security posture of their systems." Tenable implements comprehensive vulnerability scanning aligned with NIST security testing methodology.

CIS Control 7 requires continuous vulnerability management. Tenable provides automated scanning, VPR-based prioritization, and remediation tracking.

Federal directive on remediating known exploited vulnerabilities. Tenable integrates CISA KEV data and predictive prioritization.

SOC 2 CC7.1: "To meet its objectives, the entity uses detection and monitoring procedures to identify changes to configurations that result in the introduction of new vulnerabilities, and susceptibilities to newly discovered vulnerabilities." Tenable provides continuous vulnerability assessment, VPR-based risk scoring, and exposure analytics that directly supports CC7.1 requirements for detecting and monitoring vulnerabilities. Source: AICPA Trust Services Criteria.

ISO 27001:2022 A.8.8: "Information about technical vulnerabilities of information systems in use shall be obtained in a timely fashion, the organisation's exposure to such vulnerabilities shall be evaluated, and appropriate measures taken to address the associated risk." Tenable provides continuous vulnerability intelligence, exposure assessment with VPR scoring, and remediation prioritization that implements A.8.8 requirements for technical vulnerability management. Source: ISO/IEC 27001:2022 Annex A.

CCM TVM-02: "Define, implement and evaluate processes, procedures and technical measures for the detection of vulnerabilities on organizationally managed assets at least monthly." CCM TVM-03: "Define and implement processes, procedures and technical measures for timely remediation of vulnerabilities." Tenable automated scanning and exposure management directly implement CCM TVM controls for vulnerability detection and risk-based remediation. Source: CSA Cloud Controls Matrix v4.0.