External vs Internal Scans Using Tenable: Which One Meets the Security Requirement of NIST SP 800-171, 3.11.2?

Question:

I work at a university that has two IT security teams: one for internal servers and one for broader security. We use Tenable to perform external network scans on all our servers, and credentialed scans on our Linux servers. However, we do not scan our Windows servers internally. We are preparing for an audit that requires us to comply with NIST SP 800-171, 3.11.2, which states that vulnerability scanning should include patch levels, functions, ports, protocols, services, and information flow control mechanisms. I have noticed that one of our Windows servers is several months behind on patches, but this was not reported by Tenable. Both security teams claim that external network scans are sufficient, but I am concerned about the security of our systems and the protection of our PII. My question is: does an external network scan using Tenable meet the security requirement of NIST SP 800-171, 3.11.2, or do we need to perform internal scans on our Windows servers as well?

Answer:

I work at a university that has two IT security teams: one for internal servers and one for broader security. We use Tenable to perform external network scans on all our servers, and credentialed scans on our Linux servers. However, we do not scan our Windows servers internally. We are preparing for an audit that requires us to comply with NIST SP 800-171, 3.11.2, which states that vulnerability scanning should include patch levels, functions, ports, protocols, services, and information flow control mechanisms. I have noticed that one of our Windows servers is several months behind on patches, but this was not reported by Tenable. Both security teams claim that external network scans are sufficient, but I am concerned about the security of our systems and the protection of our PII. My question is: does an external network scan using Tenable meet the security requirement of NIST SP 800-171, 3.11.2, or do we need to perform internal scans on our Windows servers as well?

Leave a Reply

Your email address will not be published. Required fields are marked *

Privacy Terms Contacts About Us