Associate compensating controls with CVEs or TPEs for risk reduction requests

Release version: Australia

Updated March 12, 2026

1 minute to read

As a Vulnerability Manager or Analyst, you can associate relevant compensating controls with a Common Vulnerability Entry (CVE) or Third-party Entry (TPE) in the Security Exposure Management Workspace, which can be used for reducing the risk posed by a vulnerability.

Before you begin

Role required: sn_vul.vulnerability_analyst, or sn_vul.vulnerability_admin

About this task

If you don’t associate compensating controls to a CVE or TPE, all the active controls appear in the Select Compensating Controls field of the Request Exception form.
If you associate a compensating control to a CVE, this compensating control is automatically associated with the TPE, which is mapped to the CVE.

Note:

The compensating controls feature is available for host vulnerabilities only.

Procedure

Navigate to Workspaces > Security Exposure Management Workspace.
On the Lists page, under Libraries, open one of the following for which you want to associate the controls:
- CVE from the CVEs list.
- TPE from the TPEs list.
Select Associate controls.

Note:
The Associate controls button appears only when the risk reduction is enabled for a CVE or TPE. In other words, you can associate compensating controls only when risk reduction is enabled for a CVE or TPE. If the Associate controls button isn’t visible, select Enable risk reduction.
On the Associate controls modal, select the compensating controls that can be applied to vulnerabilities associated with the CVE or TPE for risk reduction.
Select Submit.
- The associated compensating controls appear in the Applicable compensating controls tab in the record view of the CVE and TPE.
- While a remediation owner requests risk reduction, these associated compensating controls appear in the Select Compensating Controls field on the Request Exception modal.