CIS Control 07: Continuous Vulnerability Management

Posted on January 8, 2025
CIS Controls v8

When it comes to cybersecurity, vulnerability management is one of the older technologies that still play a critical role in securing our assets. It is often overlooked, disregarded, or considered only for checkbox compliance needs, but a proper vulnerability management program can play a critical role in avoiding a series of data breaches.

CIS Control 07 provides the minimum requirements and table stakes, if you will, for establishing a successful vulnerability management program.

Key Takeaways for Control 7

At the core of CIS Control 7 is a reliance on known standards, terms from organizations like NIST and MITRE, that those of us in the cybersecurity space have heard for years. CVE, CVSS, OVAL, SCAP, and more are keywords that can be found throughout this document. While those terms frequently appear in this document, it is important to note that they are not the be-all and end-all of a vulnerability management program. The controls document notes that some systems, like CVSS, must be augmented by additional data. This is an important note to consider when planning continuous vulnerability management.

The biggest takeaway from Control 7 is that if a vulnerability is patched, it cannot be exploited. This is why the process is critical and becomes a continuous cycle:

  • Discover vulnerabilities
  • Prioritize vulnerabilities
  • Resolve vulnerabilities
  • Repeat

This control also serves as a great reminder of what vulnerability management is not. It should not be a reactionary process for 0-day vulnerabilities. You have other controls to help you mitigate that. Instead, this control is focused on reducing the known risk in your environment, something that many organizations often forget.

Safeguards for Control 7

7.1) Establish and Maintain a Vulnerability Management Process

Description: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually or when significant enterprise changes occur, that could impact this Safeguard.

Notes: The security function associated with this safeguard is Govern. This process should detail the process from start to finish, with important consideration given to the concept of a cyclical process. Vulnerability Management is not a one-and-done process, nor is it a set-it-and-forget-it process. Much like a bodybuilder visits the gym daily, this is about sets and reps and finding the correct mix that provides results for you.

7.2) Establish and Maintain a Remediation Process

Description: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly or more frequent reviews.

Notes: The security function associated with this safeguard is Govern. The remediation process is a subset of your vulnerability management process, with a focus on how you will actually fix the vulnerabilities that are discovered. This is where it is critical to develop a prioritization system that works for your organization and considers all external data that could influence the organization's risk.

7.3) Perform Automated Operating System Patch Management

Description: Perform operating system updates on enterprise assets through automated patch management on a monthly or more frequent basis.

Notes: The security function associated with this safeguard is Protect. It is important that the controls call out patch management as a subset of vulnerability management. Often, these processes are considered one and the same, but they are not. Patch management is about the deployment of patches, which may or may not resolve vulnerabilities; vulnerability management is about ultimately resolving those vulnerabilities and reducing your overall risk. Security patches often require post-patch configuration, something that patch management software often neglects to include, and your continuous vulnerability management program will identify those missed configurations.

7.4) Perform Automated Application Patch Management

Description: Perform application updates on enterprise assets through automated patch management on a monthly or more frequent basis.

Notes: The security function associated with this safeguard is Protect. This should be considered identical to Safeguard 3, with the added consideration that the attack surface provided by your applications is often far more extensive than your OS attack surface due to the sheer number of applications installed on some systems.

7.5) Perform Automated Vulnerability Scans of Internal Enterprise Assets

Description: Perform automated vulnerability scans of internal enterprise assets on a quarterly or more frequent basis. Conduct both authenticated and unauthenticated scans using a SCAP-compliant vulnerability scanning tool.

Notes: The security function associated with this safeguard is Identify. This is one of the controls where CIS veers the wrong way. While standards are good, SCAP-compliant does not indicate the value of a scanning tool; it is simply the adherence to specific standards. When considering a tool for scanning, consider depth and breadth of coverage along with both false positive and false negative rates. Additionally, understand the frequency with which updates to the tool’s coverage are released.

7.6) Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets

Description: Perform automated vulnerability scans of externally exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly or more frequent basis.

Notes: The security function associated with this safeguard is Identify. A good general rule to reduce complexity and ensure adoption is to use the same tool for scanning your internal and externally exposed assets.

7.7) Remediate Detected Vulnerabilities

Description: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.

Notes: The security function associated with this safeguard is Respond. Remediation is a key aspect of the process. Remediation is ultimately what reduces your risk, either by way of patching or another means. If you are missing the remediation step or failing to properly prioritize your results, you put your entire system at risk. The continuous vulnerability management process can easily become a house of cards, and staying on top of remediation can add stability to that fragile structure.

See how simple and effective security controls can create a framework that helps you protect your organization and data from known cyber-attack vectors by downloading this guide here.

Read more about the 18 CIS Controls here:

CIS Control 1: Inventory and Control of Enterprise Assets

CIS Control 2: Inventory and Control of Software Assets

CIS Control 3: Data Protection

CIS Control 4: Secure Configuration of Enterprise Assets and Software

CIS Control 5: Account Management

CIS Control 6: Access Control Management

CIS Control 7: Continuous Vulnerability Management

CIS Control 8: Audit Log Management

CIS Control 9: Email and Web Browser Protections

CIS Control 10: Malware Defenses

CIS Control 11: Data Recovery

CIS Control 12: Network Infrastructure Management

CIS Control 13: Network Monitoring and Defense

CIS Control 14: Security Awareness and Skill Training

CIS Control 15: Service Provider Management

CIS Control 16: Application Software Security

CIS Control 17: Incident Response Management

CIS Control 18: Penetration Testing

Get Foundational Security with the CIS Controls Monitoring

Use CIS Controls to establish solid protection against the most common attacks and use Tripwire to provide coverage for the controls.

Learn More
Related Solutions
Vulnerability & Risk Management Compliance CIS Controls
Join over 20,000 IT security pros who get our top stories delivered to their inbox every week!