Both
- Should always either remediate, accept, or recast critical and high vulnerabilities.
- Comments and Expiration Date (reasonable length no longer than a year) are always mandatory.
- "No known exploits" is not a valid reason by itself for accepted or recast risk (an exploit could come out tomorrow).
- No need to accept/recast risk if Low severity (or lower).
Accepted Risk
- Accepted Risk is accepting you won't/can't fix (intentionally not addressing the issue), at the Tenable reported severity.
- Put reason why you can't fix in the comments, especially highlighting if due to lack of resources.
- Should be accepted risk if there is a time period involved (i.e. decommissioning system soon, expiration date as the shutdown date), "low risk server", "no important data", or if unable to fix.
If implemented compensating controls, use this to accept the residual risk (explain compensating controls in the comments).
- If system has already been shut down, re-run scan to verify it is no longer there rather than accept risk.
...