Skip to content

Vulnerability Management (VM)

Vulnerability Management (VM)

Vulnerability Management is the common term for tasks such as vulnerability scanning, patch testing, and deployment.

VM practices nearly always deal with the output of CVD practices, not the inputs. VM practices focus on the positive action of identifying specific systems affected by known (post-disclosure) vulnerabilities and reducing the risks they pose through the application of mitigations or remediation such as patches or configuration changes. In other words, VM entails the identification of instances of a product on which action must be taken to mitigate or remediate known vulnerabilities in the product.

CERT RMM: Vulnerability Analysis and Resolution (VAR)

Vulnerability Analysis and Resolution (VAR) is an operational process described within the CERT Resilience Management Model (RMM) that closely overlaps with the concept of Vulnerability Management. Although the RMM is designed with a focus on operational resilience for organizations, there is sufficient overlap with our topic that it's worth highlighting here. Within the RMM's VAR process area, a number of goals and practices are identified:

  • Prepare for Vulnerability Analysis and Resolution.
  • Establish Scope -- The assets and operational environments that must be examined for vulnerabilities are identified.
  • Establish a Vulnerability Analysis and Resolution Strategy.
  • Establish and maintain a process for identifying and analyzing vulnerabilities.
  • Identify Sources of Vulnerability Information.
  • Discover Vulnerabilities.
  • Analyze Vulnerabilities to determine whether they need to be reduced or eliminated.
  • Manage Exposure to Vulnerabilities -- Strategies are developed and implemented to manage exposure to identified vulnerabilities.
  • Identify Root Causes -- The root causes of vulnerabilities are examined to improve vulnerability analysis and resolution and reduce organizational exposure. Perform review of identified vulnerabilities to determine and address underlying causes.

NIST SP 800-40

NIST SP 800-40 Rev. 4 Guide to Enterprise Patch Management Planning frames patch management as preventative maintenance for information systems. Skimming the section headings of NIST SP 800-40 provides a good overview of the process and objectives of VM practices:

  • Risk Response Approaches for Software Vulnerabilities

    • Risk Responses
    • Software Vulnerability Management Life Cycle

    • Risk Response Execution

      • Prepare to Deploy the Patch
      • Deploy the Patch
      • Verify Deployment
      • Monitor the Deployed Patches

  • Recommendations for Enterprise Patch Management Planning

    • Reduce Patching-Related Disruptions
    • Inventory Your Software and Assets
    • Define Risk Response Scenarios
    • Assign Each Asset to a Maintenance Group
    • Define Maintenance Plans for Each Maintenance Group
      • Routine Patching
      • Emergency Patching
      • Emergency Mitigation
      • Unpatchable Assets
      • Exceptions to Maintenance Plans
    • Choose Actionable Enterprise-Level Patching Metrics
    • Consider Software Maintenance in Procurement