ℹ️ Note: This integration covers Tenable Vulnerability Management FedRAMP (FedRAMP Moderate). It does not support the standard commercial Tenable Vulnerability Management product. If your Tenable URL is cloud.tenable.com, use the standard Tenable integration. API keys generated in one environment will not authenticate against the other.
Overview
The Tenable Vulnerability Management FedRAMP integration connects Vanta to Tenable's FedRAMP-authorized cloud environment at fedcloud.tenable.com via API, enabling automated vulnerability management and compliance evidence collection in regulated environments. It is designed for federal agencies and organizations operating under FedRAMP Moderate requirements that use Tenable as their primary vulnerability scanner.
Connecting Tenable Vulnerability Management FedRAMP to Vanta lets you:
Pull vulnerability scan results into Vanta's Vulnerabilities page and track remediation against your SLAs.
Sync user accounts from Tenable so Vanta can verify that access follows your access control policies.
Capture evidence that vulnerability scans are running at your required cadence.
Automate evidence collection across FedRAMP compliance controls.
Estimated setup time: Under 20 minutes
Use cases and capabilities
This integration pulls vulnerability data, scan records, assets, and user accounts from your Tenable FedRAMP environment into Vanta so they can be tracked, reviewed, and used as compliance evidence.
Capabilities overview
Resource / Capability | Supported | How it is used in Vanta |
Vulnerabilities (Critical / High / Medium / Low) | Yes | Surfaced on Vanta's Vulnerabilities page; tracked against your remediation SLAs |
Vulnerability scans | Yes | Evidence that scans run at your required cadence |
Assets | Yes | Scanned targets associated with vulnerabilities |
User accounts | Yes — requires Administrator role on the API user | Personnel tracking; verifies access is removed at offboarding |
Informational (INFO) severity findings | No | Not imported — only Low, Medium, High, and Critical are pulled |
Security alert status | No | Not supported by this integration |
Cloud asset inventory (compute instances) | No | Not supported for the FedRAMP variant |
Write-back / remediation actions in Tenable | No | Vanta has read-only access and cannot modify anything in Tenable |
Tests and frameworks enabled
Vanta uses tests to automatically evaluate whether your environment meets specific compliance controls. Once connected, this integration enables the following tests:
Critical / High / Medium / Low vulnerabilities identified are addressed (Tenable FedRAMP) — tracks open findings and remediation against your SLAs.
Tenable FedRAMP vulnerability scan frequency — validates scans have been executed within your configured scanning cadence.
Tenable FedRAMP accounts associated with users — verifies all Tenable accounts are linked to known personnel in Vanta.
Tenable FedRAMP accounts deprovisioned when personnel leave — confirms access is removed at offboarding.
Prerequisites
Before starting setup, confirm the following:
You have a Vanta administrator account.
You have a Tenable administrator account with access to your FedRAMP instance at fedcloud.tenable.com.
You are operating in a FedRAMP Moderate Tenable environment.
💡 Tip: Decide before setup whether you want Vanta to sync user accounts in addition to vulnerability data. If yes, the API user you create must have the Administrator role. If you only need vulnerability, scan, and asset data, a Basic User role is sufficient.
Setup guide
Step 1: Start the connection in Vanta
In Vanta, go to the Integrations page, click Add integration, and search for Tenable Vulnerability Management FedRAMP. For help, see our guide to the Integrations Page.
Click Connect, then click the Access Control Users link in the connection wizard. This will open your Tenable FedRAMP portal at fedcloud.tenable.com.
Step 2: Create a service user in Tenable
In your Tenable FedRAMP instance:
Click Create user.
Enter Vanta Scanner as the username and set a password.
Assign the role Basic User (or Administrator if you want Vanta to sync user accounts).
Scroll down and confirm that both API Key and Username/Password authentication are enabled. Click Next.
Leave the default settings on the remaining screens and click Next, then Save to create the user.
Return to Vanta, enter the username you just created, and click Next.
Step 3: Create a permission in Tenable
From Vanta, follow the link to Access Control Permissions page in Tenable, then:
Click + Create Permission.
Set the Permission name to Vanta Scanner.
Under Select user, choose the Vanta Scanner user you created.
Under Select group, choose All Users.
Assign the Can View permission.
Under Select assets, choose All Assets.
Click Save, then Save again to confirm.
Return to Vanta and click Next.
Step 4: Generate an API key
In Tenable, return to the Users table.
Right-click the Vanta Scanner user and select User Assist.
Switch back to the Vanta connection wizard and click the API Keys page link. This opens the API keys page in Tenable.
Click Generate, then Continue.
Copy both the Access Key and the Secret Key. You will need these in the next step.
Step 5: Complete the connection in Vanta
Return to Vanta.
Paste the Access Key and Secret Key into their corresponding fields.
Click Done to complete the integration.
ℹ️ Note: The username you entered earlier in Vanta must exactly match the username of the Vanta Scanner user you created in Tenable. Vanta validates this match during setup.
After setup, the Tenable Vulnerability Management FedRAMP integration will appear as Connected in your integrations list.
Permissions
Read access
Vanta uses the API key pair you provide to read the following data from your Tenable FedRAMP instance (fedcloud.tenable.com):
User accounts — to verify access is attributed to active personnel and revoked at offboarding. Requires an Administrator-role API user.
Assets — the scanned targets that vulnerabilities are associated with.
Vulnerabilities — to surface findings on Vanta's Vulnerabilities page and track remediation against your SLAs.
Vulnerability scans — to show that scans are running at your required cadence.
Access control permissions — used during credential validation at setup to confirm the API user has been granted permissions to view assets.
Write access
There is no write access. Vanta cannot modify, remediate, or delete any data in your Tenable environment.
Minimum required permissions
Purpose | Required role |
Vulnerability data, scan records, and assets | Basic User |
User account syncing | Administrator |
Troubleshooting and FAQs
User accounts aren't showing up in Vanta
Likely cause: The API user has a Basic User role, which only grants access to vulnerability, scan, and asset data. User account syncing requires the Administrator role.
Fix: Create a new API user in Tenable with the Administrator role, generate a new API key pair for that user, and reconnect the integration in Vanta using the new credentials.
My API keys are being rejected during setup
Likely cause: The keys were generated in the standard commercial instance (
cloud.tenable.com) instead of the FedRAMP instance (fedcloud.tenable.com). Keys are environment-specific and will not work across environments.Fix: Log in to
fedcloud.tenable.com, navigate to the Vanta Scanner user, and generate a new API key pair from your FedRAMP instance.
Vulnerabilities aren't appearing after I connect
Likely cause: If no assets have been scanned yet, Vanta returns an empty result set. Vulnerability data is linked to assets. If no FedRAMP assets exist in Vanta, no vulnerabilities will surface.
How to confirm: In Vanta, go to Assets and filter for Tenable FedRAMP to check whether assets were imported.
Fix: Ensure scans have run and assets exist in your Tenable FedRAMP environment before connecting, then allow one sync cycle (up to 8 hours) for data to appear.
The integration shows as disconnected or needs reconnection
Likely cause: The API key was revoked or regenerated in Tenable, or the Vanta Scanner user was disabled or deleted.
Fix: In Tenable, verify the Vanta Scanner user is active and the API key is still valid. Generate a new key pair if needed, then update the credentials in Vanta from the Integrations page.
Setup fails even though my API keys are correct
Likely cause: The username you entered in Vanta does not exactly match the username of the API user in Tenable. Vanta validates the username against your Tenable user list during setup, and a mismatch will cause the connection to fail — even if the API keys themselves are valid.
Fix: Return to Step 2 and confirm the exact username of the Vanta Scanner user in Tenable (check for extra spaces or capitalization differences). Enter that exact username when prompted in Vanta, then retry the connection.
