This post provides practical, step-by-step guidance for configuring Tenable Nessus to meet the Compliance Framework requirement RA.L2-3.11.2 (CMMC 2.0 Level 2 / NIST SP 800-171 Rev.2) by implementing credentialed scans, selecting the right plugins, and building repeatable scan templates that produce audit-ready evidence.
Prerequisites and planning for Compliance Framework scans
Before you start configuring Nessus, inventory the systems in-scope for the Compliance Framework assessment, subscribe or verify your Nessus plugin feed (Nessus Professional or Tenable.io/SC with active updates), and establish minimal-privilege service accounts for authenticated scanning. Plan network access (allow scanner IPs through host firewalls), ensure management protocols are available (SMB/445, WinRM 5985/5986, RPC/DCOM, SSH 22), and document which systems require domain vs local credentials. Capture evidence requirements—report formats, plugin IDs, timestamps, and the scope definition—so your scan configuration produces the artifacts auditors expect.
Configuring credentials in Nessus for authenticated scans
In a Nessus scan policy, navigate to the Credentials section and add accounts for each OS type: for Windows use either SMB (username/password, domain\user) and enable WMI or WinRM for more reliable checks; for Linux/BSD use SSH key-based authentication (private key with optional passphrase) or password-based SSH with sudo rights. Configure the Windows account with 'Logon as a service' if necessary, enable the Remote Registry service, and open RPC/ephemeral ports or configure WinRM to avoid DCOM issues. For sudo operations on Unix, create a dedicated scan account that can run only required commands without a password via a tightly scoped sudoers entry (e.g., /etc/sudoers.d/nessus-scan ALL=(ALL) NOPASSWD:/usr/bin/apt-get,/usr/bin/yum). For databases and network devices, supply appropriate DB credentials and SNMPv2/3 or SSH keys. Always store credentials in Nessus's secure credential store and document the account names and rotation schedule as Compliance Framework evidence.
Selecting plugins and tuning scan policies
Choose plugin families and individual plugins based on compliance objectives: enable Authenticated Checks, Patch Audit, Windows Local Security Checks, and Compliance Audit (SCAP) plugin families to validate configuration and patch status. Keep the plugin feed updated daily; patch-related plugins often carry the highest priority for RA.L2-3.11.2. Disable noisy unauthenticated destructive checks if scanning production systems (e.g., DoS-prone plugins). Use plugin filters to exclude irrelevant checks (legacy OSs not in scope) and tune severity thresholding so reports prioritize critical and high findings. Document the plugin set and versions as part of scan evidence for auditors—include plugin IDs, feed version, and the template used.
Building scan templates and scheduling for auditability
Create at least two scan templates: a credentialed "Authenticated Patch & Config Audit" (Advanced Scan with credentials, patch checks, and compliance audit) for in-depth verification, and a lighter "Discovery + Unauthenticated" template for asset discovery and external validation. Key template settings: set port scan to top 100/4096 depending on scope; increase Max Concurrent Checks Per Host for large hosts only after testing; tune SMB/SSH timeout and retries for slow networks; enable "Safe Checks" if you cannot tolerate intrusive tests. Schedule credentialed server scans at least weekly for servers and monthly for endpoints (or as required by your organization’s patch cycle), and keep a scan calendar and logs to demonstrate ongoing compliance to auditors.
Small-business real-world scenario
Example: a 50-endpoint small business with three domain-joined Windows servers. Create a domain service account 'svc_nessus' with read-only AD membership and local admin on the three servers via GPO for scanning only, enable WinRM via Group Policy, and deploy a Nessus scanner inside the LAN. Build two templates: "Workstation Weekly Auth" (SMB + WinRM, patch audit, exclude printers and BYOD VLAN) and "Server Daily Auth" (SMB + WinRM, patch audit, compliance checks, deeper credential scope). Run the server scan daily, set auto-updates for the plugin feed, and export signed PDF/CSV reports with plugin IDs and timestamps into your compliance evidence repository (documented in your Compliance Framework audit binder).
Failing to implement credentialed scanning leaves you blind to many critical vulnerabilities—missing installed packages, misconfigurations, local privilege escalation paths, and unpatched software—which increases the likelihood of breach, data exfiltration, and audit failures. Auditors expect authenticated results that demonstrate patch levels and configuration posture; unauthenticated scans alone often produce false positives and are insufficient to prove compliance with RA.L2-3.11.2.
Compliance tips and best practices: use a secrets manager (HashiCorp Vault, CyberArk, or Nessus secure storage) and integrate dynamic secrets where possible, rotate scan credentials on a scheduled basis, and limit credential scope to the minimum necessary. Maintain a change log for scan policies and templates (who changed what and why), attach remediation notes to each finding in your ticketing system, and correlate Nessus findings with your CMDB to avoid repeated scanning of decommissioned assets. For evidence, export scan details including scan policy name, plugin feed version, plugin IDs, and host-level authenticated results—these are the artifacts auditors typically request.
In summary, configuring Nessus to satisfy RA.L2-3.11.2 requires careful planning (service accounts, network access, and evidence requirements), precise credential configuration, selective plugin enabling, and repeatable scan templates with a documented schedule. For small businesses, start with a simple, documented credentialed policy for servers and workstations, automate plugin updates and scheduled scans, and preserve the exportable reports and logs as Compliance Framework evidence to show continuous monitoring and remediation efforts.
