CIS Control 1

CIS Control 3: Continuous Vulnerability Management

This article breaks down CIS Control 3: Continuous Vulnerability Management and the seven sub controls associated with the third basic security control.

Organizations are constantly faced with new information. From software updates to patches and threat bulletins, understanding and properly managing vulnerabilities requires a significant amount of attention and resources. Attackers and their victims have access to the same information. By not proactively scanning for vulnerabilities and remediating security flaws, the likelihood of an attacker compromising an organization’s system is very high.

Implementing a vulnerability management tool can help you spot any holes in your environment that could potentially be exploited by an attacker before a breach occurs.

Let’s dive right into CIS Control 3 and the seven sub control requirements.

3.1: Run Automated Vulnerability Scanning Tools

  • Utilize an up-to-date SCAP-compliant vulnerability scanning tool to automatically scan all systems on the network on a weekly or more frequent basis to identify all potential vulnerabilities on the organization’s systems.

In this sub control, organizations are advised to conduct automated scans to stay up to date on any new vulnerabilities that have been introduced and any changes that have been made across the network. Weekly scans are suggested for less-critical systems, but do keep in mind – the more frequently you scan, the quicker issues can be addressed. By automating these scans your organization will known that status of all scanned systems and be able to prioritize the vulnerabilities that are posing the most harm to your security posture.

Using NNT Vulnerability Tracker will allow your organization to detect and identify these vulnerable protocols. Any vulnerabilities identified are reported with full background and remediation guidance. You can learn more about our Vulnerability Tracker solution by watching our new video overview.

3.2: Perform Authenticated Vulnerability Scanning

  • Perform authenticated vulnerability scanning with agents running locally on each system or with remote scanners that are configured with elevated rights on the system being tested.

This sub control emphasizes the importance of performing authenticated vulnerability scans as these scans gather information from both the outside of the end as well as the inside. Both kinds of information are important, but the data gathered through authenticated scans allows the scanning solution to draw better conclusions of the end point’s vulnerability state.

NNT Vulnerability Tracker exposes any vulnerabilities that are identified in this scan with a detailed background on the vulnerability and remediation guidance included.

Request your personalized Configuration Remediation Kit

3.3: Protect Dedicated Assessment Accounts

  • Use a dedicated account for authenticated vulnerability scans, which should not be used for any other administrative activities and should be tied to specific machines at specific IP addresses.

This sub control recommends using a dedicated account for authenticated vulnerability scans with no privilege access required for scanning. This will help curb the risk of credential theft. NNT recommends our Vulnerability Tracker solution which will alert you and report on all account and machine activity in real-time.

3.4: Deploy Automated Operating System Patch Management Tools

  • Deploy automated software update tools in order to ensure that the operating systems are running the most recent security updates provided by the software vendor.

3.5: Deploy Automated Software Patch Management Tools

  • Deploy automated software update tools in order to ensure that third-party software on all systems is running the most recent security updates provided by the software vendor.

whitepaper thumbnail

Sub controls 4 and 5 of CIS Control 3 advise organizations to deploy automated operating system and software patch management tools. Using these tools will ensure that critical security flaws are patched as soon as a fix is made available to the public. This allows for more consistency and less reliance on users to manually update software tools and operating systems. With that being said, there are still updates that will need to be done manually, so relying completely on these solutions would be a poor patch management practice.

Learn about the risks associated with running outdated software in our whitepaper The Problem with Running Outdated Software

3.6: Compare Back-to-Back Vulnerability Scans

  • Regularly compare the results from back-to-back vulnerability scans to verify that vulnerabilities have been remediated in a timely manner

The most effective vulnerability scanning solutions compare results from the current scan with previous ones to determine how the vulnerabilities have changed over time. With NNT’ Vulnerability Tracker, you can compare back-to-back scanning results to verify that all critical vulnerabilities are addressed, by either patching or by documenting an exception.

3.7: Utilize a Risk-Rating Process

  • Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.

Figure 1: CIS Control 3 – System Entity Relationship Diagram
CIS Control 1


The goal of CIS Control 3 is to identify and remove any technical weaknesses that exist within your information systems. To reduce your risk, organizations are advised to implement patch management systems that cover operating systems and third-party application vulnerabilities. Organizations are also encouraged to implement a commercial vulnerability management system to allow them to detect and remediate exploitable software weaknesses.

NNT Vulnerability Tracker continuously scans operating systems, network devices and web applications to assign risk rankings for any identified vulnerabilities, with detailed remediation guidance provided. Vulnerability Tracker provides you with a ‘live feed’ of any new vulnerabilities identified and relevant tests to expose the existence within the network. Any vulnerabilities identified are reported with full background and remediation guidance.

You can even address most of these requirements for free by downloading the Greenbone Security Manager Community Edition.

essential CIS Controls

Contact Us

USA Offices

New Net Technologies LLC
4850 Tamiami Trail, Suite 301
Naples, Florida, 34103

New Net Technologies LLC
1175 Peachtree St NE
Atlanta, Georgia, 30361.

Tel: (844) 898-8358
[email protected]


UK Office

New Net Technologies Ltd
The Russell Building, West Common
Harpenden, Hertfordshire

Tel: 020 3917 4995
 [email protected]

SC Magazine Cybersecurity 500 CSGEA Winners 2021 CIS benchmarking SEWP Sans Institute Now Certified IBM Security
Copyright 2021, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.