Vulnerability Management: Scanning, Patching, and Remediation

Vulnerability management is a structured security discipline covering the identification, classification, prioritization, and remediation of weaknesses in IT systems, networks, and applications. The practice spans automated scanning, patch deployment, risk-based triage, and compliance verification across the full asset lifecycle. For US organizations operating under frameworks such as NIST SP 800-53 or sector mandates like PCI DSS and HIPAA, vulnerability management functions as a core control domain rather than an optional hygiene measure. This page describes how the discipline is structured, how its processes operate, and where its scope intersects with adjacent security functions.

Definition and scope

Vulnerability management is formally defined within NIST SP 800-40, Rev 4 as the enterprise-wide program for managing exposure to vulnerabilities through the systematic identification, classification, prioritization, and remediation of software flaws. The scope extends to operating systems, applications, firmware, cloud infrastructure, and network devices — any asset that can carry a Common Vulnerabilities and Exposures (CVE) identifier tracked in the NIST National Vulnerability Database (NVD).

The discipline is distinct from patch management, though the two overlap. Patch management addresses the deployment mechanics of vendor-issued fixes. Vulnerability management is broader: it includes unpatched systems, misconfiguration risks, end-of-life software with no available patch, compensating control decisions, and residual risk acceptance workflows.

Regulatory obligations tie directly to this scope. PCI DSS v4.0, Requirement 11 mandates quarterly external vulnerability scans performed by an Approved Scanning Vendor (ASV) and internal scans after any significant infrastructure change. HIPAA's Security Rule at 45 CFR § 164.308(a)(8) requires covered entities to perform periodic technical and non-technical evaluations of security controls, which regulators and auditors treat as inclusive of vulnerability assessment. The CISA Known Exploited Vulnerabilities (KEV) Catalog adds an operational dimension: federal civilian executive branch agencies are bound by Binding Operational Directive 22-01 to remediate KEV entries on fixed timelines, with critical-severity entries requiring remediation within 14 days of catalog addition.

Practitioners using the information security providers on this authority site will find vulnerability management referenced across multiple service categories, from managed security service providers to compliance assessment firms.

How it works

A mature vulnerability management program operates across five discrete phases:

1. Asset discovery and inventory — All in-scope assets are enumerated, typically through active network scanning or integration with a configuration management database (CMDB). The NIST Cybersecurity Framework (CSF) 2.0, under the Identify function, treats asset inventory as a prerequisite to any effective vulnerability control.

2. Vulnerability scanning — Authenticated and unauthenticated scans probe assets for known CVEs, misconfigurations, and policy deviations. Authenticated scans, which use credentials to inspect internal system state, detect a materially higher proportion of vulnerabilities than unauthenticated scans — a distinction significant for audit evidence purposes.

3. Risk scoring and prioritization — Raw scan output is normalized using the Common Vulnerability Scoring System (CVSS), maintained by the Forum of Incident Response and Security Teams (FIRST). CVSS produces a base score from 0.0 to 10.0. Organizations supplement CVSS with contextual factors — asset criticality, exploitability evidence from CISA KEV, and threat intelligence — because CVSS base scores alone do not account for whether an exploit is actively used in the wild.

4. Remediation and patching — Fixes are applied in priority order. Remediation options include vendor patches, configuration hardening, network segmentation, or compensating controls when patching is operationally infeasible. Service-level agreements within vulnerability management programs typically define remediation windows by CVSS tier: critical vulnerabilities (CVSS 9.0–10.0) are commonly assigned a 15- to 30-day window, while high-severity findings (CVSS 7.0–8.9) carry 30- to 60-day windows.

5. Verification and reporting — Post-remediation scans confirm closure. Findings, remediation status, and residual risk acceptances are documented for audit trails required under frameworks including NIST SP 800-53 Rev 5, Control Family RA (Risk Assessment) and PCI DSS Requirement 11.

Common scenarios

Enterprise network environments — Large organizations running hybrid on-premises and cloud infrastructure face scope fragmentation. Cloud workloads in AWS, Azure, or GCP require cloud-native scanning integrations; traditional on-premises scanners do not reach ephemeral cloud assets. The CISA Cybersecurity Advisory AA22-137A identified poor asset visibility as a root-cause contributor to successful ransomware intrusions.

Healthcare and covered entities — HIPAA-regulated environments must balance vulnerability scanning against clinical system availability. Electronic health record (EHR) platforms and medical devices running legacy operating systems frequently cannot accept patches without vendor revalidation. In these cases, vulnerability management programs document risk acceptance with compensating controls — a process audited by HHS Office for Civil Rights (OCR) during breach investigations.

Payment card environments — PCI DSS ASV scanning is a compliance requirement, not an operational choice. Merchants and service providers in scope for PCI DSS must produce quarterly ASV scan reports showing no unresolved high-severity vulnerabilities on internet-facing systems before a Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ) can be submitted.

Federal civilian agencies — BOD 22-01 and the broader OMB Memorandum M-22-09 on zero trust architecture have elevated vulnerability management from a best-practice to an enforceable federal mandate with defined timelines. Agencies that maintain a full inventory through CISA's Continuous Diagnostics and Mitigation (CDM) program are expected to feed CDM dashboards with near-real-time vulnerability data.

Decision boundaries

Vulnerability management intersects with, but does not replace, three adjacent disciplines:

• Penetration testing validates whether vulnerabilities are exploitable in combination, under adversarial conditions. Scanning identifies individual weaknesses; penetration testing simulates attack chains. The two are complementary, not substitutable. NIST SP 800-115 provides the technical guide for security testing and examination that covers this boundary.

• Threat intelligence informs prioritization. A CVSS 7.5 vulnerability actively verified in the CISA KEV Catalog carries higher operational urgency than a CVSS 9.0 finding with no known active exploitation. Programs that ignore exploit-in-the-wild evidence in favor of raw CVSS scores will consistently misprioritize remediation backlogs.

• Configuration management addresses security posture through enforced baselines rather than reactive patching. The CIS Benchmarks, published by the Center for Internet Security, define hardened configuration standards for over 100 technology platforms. Misconfigurations that do not carry a CVE identifier fall outside scanner detection and must be addressed through configuration compliance tooling.

Organizations calibrating the scope of a vulnerability management program — particularly those determining whether to build internally or engage a managed service provider — can reference the service landscape described in the .

Risk acceptance is a formal decision boundary within the program. Not all vulnerabilities can or should be patched immediately. Documented risk acceptance, reviewed by a named risk owner and time-bounded, satisfies audit requirements under NIST SP 800-53 RA-3 (Risk Assessment) and is expected evidence in PCI DSS and HIPAA compliance reviews. Undocumented acceptance — where vulnerabilities are simply left open without a recorded decision — exposes organizations to regulatory findings and, in breach scenarios, to regulatory enforcement. More detail on how the broader security service landscape is organized is available through the how to use this information security resource reference.