Skip to main content

Connecting Vanta & Tenable Vulnerability Management FedRAMP

ℹ️ Note: This integration covers Tenable Vulnerability Management FedRAMP (FedRAMP Moderate). It does not support the standard commercial Tenable Vulnerability Management product. If your Tenable URL is cloud.tenable.com, use the standard Tenable integration. API keys generated in one environment will not authenticate against the other.

Overview

The Tenable Vulnerability Management FedRAMP integration connects Vanta to Tenable's FedRAMP-authorized cloud environment at fedcloud.tenable.com via API, enabling automated vulnerability management and compliance evidence collection in regulated environments. It is designed for federal agencies and organizations operating under FedRAMP Moderate requirements that use Tenable as their primary vulnerability scanner.

Connecting Tenable Vulnerability Management FedRAMP to Vanta lets you:

  • Pull vulnerability scan results into Vanta's Vulnerabilities page and track remediation against your SLAs.

  • Sync user accounts from Tenable so Vanta can verify that access follows your access control policies.

  • Capture evidence that vulnerability scans are running at your required cadence.

  • Automate evidence collection across FedRAMP compliance controls.

Estimated setup time: Under 20 minutes


Use cases and capabilities

This integration pulls vulnerability data, scan records, assets, and user accounts from your Tenable FedRAMP environment into Vanta so they can be tracked, reviewed, and used as compliance evidence.

Capabilities overview

Resource / Capability

Supported

How it is used in Vanta

Vulnerabilities (Critical / High / Medium / Low)

Yes

Surfaced on Vanta's Vulnerabilities page; tracked against your remediation SLAs

Vulnerability scans

Yes

Evidence that scans run at your required cadence

Assets

Yes

Scanned targets associated with vulnerabilities

User accounts

Yes — requires Administrator role on the API user

Personnel tracking; verifies access is removed at offboarding

Informational (INFO) severity findings

No

Not imported — only Low, Medium, High, and Critical are pulled

Security alert status

No

Not supported by this integration

Cloud asset inventory (compute instances)

No

Not supported for the FedRAMP variant

Write-back / remediation actions in Tenable

No

Vanta has read-only access and cannot modify anything in Tenable

Tests and frameworks enabled

Vanta uses tests to automatically evaluate whether your environment meets specific compliance controls. Once connected, this integration enables the following tests:

  • Critical / High / Medium / Low vulnerabilities identified are addressed (Tenable FedRAMP) — tracks open findings and remediation against your SLAs.

  • Tenable FedRAMP vulnerability scan frequency — validates scans have been executed within your configured scanning cadence.

  • Tenable FedRAMP accounts associated with users — verifies all Tenable accounts are linked to known personnel in Vanta.

  • Tenable FedRAMP accounts deprovisioned when personnel leave — confirms access is removed at offboarding.


Prerequisites

Before starting setup, confirm the following:

  • You have a Vanta administrator account.

  • You have a Tenable administrator account with access to your FedRAMP instance at fedcloud.tenable.com.

  • You are operating in a FedRAMP Moderate Tenable environment.

💡 Tip: Decide before setup whether you want Vanta to sync user accounts in addition to vulnerability data. If yes, the API user you create must have the Administrator role. If you only need vulnerability, scan, and asset data, a Basic User role is sufficient.


Setup guide

Step 1: Start the connection in Vanta

  • In Vanta, go to the Integrations page, click Add integration, and search for Tenable Vulnerability Management FedRAMP. For help, see our guide to the Integrations Page.

  • Click Connect, then click the Access Control Users link in the connection wizard. This will open your Tenable FedRAMP portal at fedcloud.tenable.com.

Step 2: Create a service user in Tenable

In your Tenable FedRAMP instance:

  • Click Create user.

  • Enter Vanta Scanner as the username and set a password.

  • Assign the role Basic User (or Administrator if you want Vanta to sync user accounts).

  • Scroll down and confirm that both API Key and Username/Password authentication are enabled. Click Next.

  • Leave the default settings on the remaining screens and click Next, then Save to create the user.

  • Return to Vanta, enter the username you just created, and click Next.

Step 3: Create a permission in Tenable

From Vanta, follow the link to Access Control Permissions page in Tenable, then:

  • Click + Create Permission.

  • Set the Permission name to Vanta Scanner.

  • Under Select user, choose the Vanta Scanner user you created.

  • Under Select group, choose All Users.

  • Assign the Can View permission.

  • Under Select assets, choose All Assets.

  • Click Save, then Save again to confirm.

  • Return to Vanta and click Next.

Step 4: Generate an API key

  • In Tenable, return to the Users table.

  • Right-click the Vanta Scanner user and select User Assist.

  • Switch back to the Vanta connection wizard and click the API Keys page link. This opens the API keys page in Tenable.

  • Click Generate, then Continue.

  • Copy both the Access Key and the Secret Key. You will need these in the next step.

Step 5: Complete the connection in Vanta

  • Return to Vanta.

  • Paste the Access Key and Secret Key into their corresponding fields.

  • Click Done to complete the integration.

ℹ️ Note: The username you entered earlier in Vanta must exactly match the username of the Vanta Scanner user you created in Tenable. Vanta validates this match during setup.

  • After setup, the Tenable Vulnerability Management FedRAMP integration will appear as Connected in your integrations list.


Permissions

Read access

Vanta uses the API key pair you provide to read the following data from your Tenable FedRAMP instance (fedcloud.tenable.com):

  • User accounts — to verify access is attributed to active personnel and revoked at offboarding. Requires an Administrator-role API user.

  • Assets — the scanned targets that vulnerabilities are associated with.

  • Vulnerabilities — to surface findings on Vanta's Vulnerabilities page and track remediation against your SLAs.

  • Vulnerability scans — to show that scans are running at your required cadence.

  • Access control permissions — used during credential validation at setup to confirm the API user has been granted permissions to view assets.

Write access

There is no write access. Vanta cannot modify, remediate, or delete any data in your Tenable environment.

Minimum required permissions

Purpose

Required role

Vulnerability data, scan records, and assets

Basic User

User account syncing

Administrator


Troubleshooting and FAQs

User accounts aren't showing up in Vanta

  • Likely cause: The API user has a Basic User role, which only grants access to vulnerability, scan, and asset data. User account syncing requires the Administrator role.

  • Fix: Create a new API user in Tenable with the Administrator role, generate a new API key pair for that user, and reconnect the integration in Vanta using the new credentials.

My API keys are being rejected during setup

  • Likely cause: The keys were generated in the standard commercial instance (cloud.tenable.com) instead of the FedRAMP instance (fedcloud.tenable.com). Keys are environment-specific and will not work across environments.

  • Fix: Log in to fedcloud.tenable.com, navigate to the Vanta Scanner user, and generate a new API key pair from your FedRAMP instance.

Vulnerabilities aren't appearing after I connect

  • Likely cause: If no assets have been scanned yet, Vanta returns an empty result set. Vulnerability data is linked to assets. If no FedRAMP assets exist in Vanta, no vulnerabilities will surface.

  • How to confirm: In Vanta, go to Assets and filter for Tenable FedRAMP to check whether assets were imported.

  • Fix: Ensure scans have run and assets exist in your Tenable FedRAMP environment before connecting, then allow one sync cycle (up to 8 hours) for data to appear.

The integration shows as disconnected or needs reconnection

  • Likely cause: The API key was revoked or regenerated in Tenable, or the Vanta Scanner user was disabled or deleted.

  • Fix: In Tenable, verify the Vanta Scanner user is active and the API key is still valid. Generate a new key pair if needed, then update the credentials in Vanta from the Integrations page.

Setup fails even though my API keys are correct

  • Likely cause: The username you entered in Vanta does not exactly match the username of the API user in Tenable. Vanta validates the username against your Tenable user list during setup, and a mismatch will cause the connection to fail — even if the API keys themselves are valid.

  • Fix: Return to Step 2 and confirm the exact username of the Vanta Scanner user in Tenable (check for extra spaces or capitalization differences). Enter that exact username when prompted in Vanta, then retry the connection.