In 2012, the Defense Information Systems Agency (DISA) awarded the Assured Compliance Assessment Solution (ACAS) to HP Enterprise Services, (Now Perspecta) and Tenable, Inc., the leader in Cyber Exposure, vulnerability management, continuous network monitoring, advanced analytics, and context-aware security. ACAS continues to be the solution for assessing U.S. Department of Defense (DoD) enterprise networks and connected IT systems against DoD standards, as well as to identify any known system vulnerabilities.
ACAS is the selected platform for Vulnerability Management and reporting for the DoD and related agencies. ACAS provides asset tracking and vulnerability management required by Continuous Monitoring and Risk Scoring (CMRS) and Command Cyber Readiness Inspections (CCRI). ACAS provides the ability to detect assets and vulnerabilities using several sensors including active scanning, passive discovery, agent based scanning, and event analysis. Agencies are provided with the ability to run configuration audits using SCAP files or Tenable STIG Audit files.
ACAS is mandated for DoD use by various U.S. Cyber Command task orders, including USCYBERCOM TASKORD 13-0670, 'Implementation of Assured Compliance Assessment Solution (ACAS) for the Enterprise.' DISA OPORD 14-037 is an important reference for DISA systems. The intent is to improve the "capability of DoD to quickly and accurately assess the security posture of DoD enterprise networks." The ACAS capability aligns with DoD Enterprise Secure Configuration Management and continuous monitoring initiatives.
|Nessus (Scanners controlled by Tenable.sc)||Yes|
|1GB Nessus Network Monitor (formerly Passive Vulnerability Scanner or PVS)||Yes|
|10GB Nessus Network Monitor (formerly Passive Vulnerability Scanner or PVS)||No, but recommended|
|5TB Log Correlation Engine (LCE)||Yes|
|Log Correlation Engine (LCE) greater than 5TB||No, but recommended|
|Tenable.sc™ (formerly SecurityCenter)||Yes|
|Tenable.sc™ Continuous View||Yes|
Yes! You may elect to purchase software not included in the ACAS contract. There are many ACAS users who have elected to purchase additional components, such as 10 GB NNM or Log Correlation Engine (LCE) greater than a 5TB license to complement their ACAS deployments. Contact the Tenable ACAS team for more information. Each organization/command has different rules regarding the use of software within their environments. Check with your Approving Officer (AO) for rules regarding the use of new software.
Each organization/command has different rules regarding the use of software within their environments. Check with your Approving Officer (AO) and/or Director of Information Management (DOIM) for rules regarding the use of new software.
No problem! If you buy a component not provided by ACAS, and the ACAS office provides it later, turn off your subscription and convert the licenses over to the ACAS licenses. All software sold by Tenable is sold using the subscription model. Simply put, you can cancel your subscription at any time. Further, the licensing model provides minimal startup costs and easy-to-project pricing for all users.
No, ACAS can be used on any DoD combat mission system regardless of classification. Note: the DISA ACAS Helpdesk only provides support up to the Secret Level (SIPR). For more information on supporting classified networks contact DISA support.
Through the ACAS licensing portal at https://www.disa.mil/cybersecurity/network-defense/acas.
Licenses expire in February the year after you acquired the license. For example, a license acquired in 2018 will expire in February 2019.
Through the ACAS licensing portal at https://www.disa.mil/cybersecurity/network-defense/acas.
No, your company must buy licensing directly from Tenable. Software included in the ACAS program is available to DoD and DISA enterprise systems at no cost. The software must be used on DoD-owned mission systems and NOT contractor-owned systems.
If you are using an ACAS license on a product obtained through the ACAS program office, you must utilize the DISA Helpdesk in Oklahoma City. Please visit the DISA website for contact information. If you purchased product licenses from Tenable, the se the Tenable Community to open a support case.
ACAS provides licenses for several products, each with different system requirements. Each product, hardware, and software requirements are listed below.
Red Hat Enterprise Server 5 (64-bit), 6 (64-bit) and 7 (64-bit). CentOS 5 (64-bit), CentOS 6 (64-bit) and 7 (64-bit) are also officially supported.
DISA provides a Kickstart CD that helps Linux novices deploy the ACAS suite. Check the DISA ACAS portal for the Kickstart offerings.
Yes. CentOS is a free distribution of Linux that is compatible with ACAS software. Note: Check with your Approving Officer (AO) and/or Director of Information Management (DOIM) for information on eligibility or support.
Yes. SELinux policy configuration is supported in a "Permissive" mode.
Tenable does offer virtual appliances, but the ACAS program office has never accredited them within the ACAS program.
Please consider the following:
Tenable has a full-time threat intelligence team that develops new plugins and updates existing plugins on a daily basis. Since attackers don't have a 9-5 job, Tenable works around the clock to provide plugins to respond to ever-evolving threats.
Twice daily the HP/DISA team downloads, reviews, and publishes Tenable's latest plugins to the DISA ACAS patch repository. Since moving the files to SIPR is a manual process, the SIPR plugins have a slight delay compared to unclassified networks.
Yes. You can create custom plugins and audit files. Tenable offers documentation and Professional Services to write custom plugins. Contact Tenable ACAS Team for more information.
Nessus plugins are used to detect vulnerabilities (IE: missing patches), whereas audits are used to determine that servers are configured correctly or are "compliant" with a particular standard. The advantage of using Nessus to perform vulnerability scans and compliance audits is that all of this data can be obtained at one time. Knowing how a server is configured, how it is patched, and what vulnerabilities are present can help determine measures to mitigate risk. At a higher level, if this information is aggregated for an entire network or asset class (as with Tenable's SecurityCenter), security and risk can be analyzed globally. This enables auditors and network managers to spot trends in non-compliant systems and adjust controls to fix these on a larger scale.
Email the DISA Helpdesk or contact support.
The Security Content Automation Protocol (SCAP) is a line of standards managed by NIST. It was created to provide a standardized approach to maintaining the security of enterprise systems, such as automatically verifying the presence of patches, checking system security configuration settings, and examining systems for signs of compromise.
SCAP benchmark audit files assign a severity code to each system security weakness to indicate the risk level associated with the security weakness and the urgency with which the corrective action must be completed.
This collection presents the analyst with vulnerability information within the environment. Data is prioritized based on the number of SCAP severity vulnerability concerns; on networks that have SCAP vulnerability results; when audits have been performed; through an IP summary; and with a "failing items" SCAP vulnerability summary.
Yes. SecurityCenter 5.x received its SCAP 1.2 certification in August 2015.
SCAP files are available through the NIST website. After downloading the SCAP file, load the file into Tenable.sc much in the same way as a Tenable Audit file. Set the classification and other settings. Then associate the SCAP file with scan policy. Now you are ready to run an SCAP assessment against a target system. Here is a video showing this process.
More information is available on the SCAP website.
Yes! ACAS can be used on any DoD Combat Mission System regardless of classification.
Yes. For inquiries on support on higher classified environments, please contact support.
The CMRS site receives vulnerability inputs from other sources and displays them. ACAS and Host Based Security System (HBSS) feed CMRS, which displays vulnerabilities and totals by the accountable agency. This means the accrediting agency and accountable system owner will see all vulnerabilities associated with their system in CMRS.
Please contact DISA for more information on CMRS.
Tenable.sc Continuous View (Tenable.sc CV) deploys 4 vulnerability data collectors, Active Scanning, Passive Discovery, Agent Scanning, and Event Analysis. Using all 4 data collectors, the organization can get a continuous view of vulnerability data within their network.
Yes, as are all Tenable.sc CV products: Nessus, Nessus Network Monitor (NNM) and Log Correlation Engine (LCE). Additionally, Tenable.sc supports Proximity Card Authentication.
Tenable.sc supports the following feature and enhancements:
Nessus is the de-facto industry standard vulnerability assessment solution for security practitioners. Nessus helps DoD security professionals quickly and easily identify and fix vulnerabilities - including software flaws, missing patches, malware, and misconfigurations - across a variety of operating systems, devices and applications.
No. Nessus Professional is NOT part of ACAS. Nessus Professional is an independent scanner used for auditing. The version of Nessus provided by ACAS is a special version of the scanner that is managed by Tenable.sc.
You need to install SecurityCenter with a Nessus scanner on the laptop and conduct your scans via Tenable.sc. Though not optimal, the licensing structure of ACAS does not allow for the use of Nessus Professional, which would facilitate scanning without an installation of Tenable.sc.
For more information on Nessus, click here.
The primary purpose for Nessus Manager is to perform agent management and agent scan operations for on-premise infrastructure (10,000 systems). Nessus Manager is used to configure agent scans, manage agent groups, and perform as the front-end connection for collecting agent data. Agent scans in Tenable.sc were configured to retrieve Nessus Agent scan results from Nessus Manager. Nessus Manager automatically has plugin and version updates to Nessus Agents. More information on Nessus Manager performance can be found here.
Yes, Nessus Manager and Nessus Agents are included oin the ACAS contract.
NNM is a passive vulnerability scanner. Do you know what happens between the last time an active vulnerability scan is completed and the next time a scan is completed? New hosts, new ports, new services, and new vulnerabilities can arrive on your networks faster than you may be allowed to scan for them. NNM can find out what is happening on your network without scheduling and waiting for an active scan. As NNM monitors your network for potential application compromises, trust relationships, and open or browsed network protocols. For more info on NNM, click here.
No, NNM is deployed in a strategic location to monitor workstation and server communications to be more preemptive in nature. NNM is designed to provide the analysts with near to real time vulnerability detection and asset discovery. While not an IDS or Network Access Control (NAC), NNM uses similar techniques to reduce active scanning efforts. For example, NNM can detect new devices and launch vulnerability scans, or send emails when new services are detected. NNM is a powerful differentiator Tenable.sc provides to the ACAS program.
NNM is typically installed connected to a mirrored or SPAN port. However, NNM can also be installed on specific application servers such as DNS, DHCP, or file servers. By deploying NNM on key systems on the network, Tenable.sc is able to better detect assets on the network and perform vulnerability assessments
Yes, NNM monitors network traffic for potential problems and detects otherwise un-scannable devices and highly-sensitive systems such as Supervisory Control and Data Acquisition (SCADA) or medical devices. This passive scanning is invaluable to the security of these sensitive devices and networks. While NNM provides a limited passive scanning ability with Industrial Control Services (ICS) or SCADA, Tenable Industrial Security (IS) is a more complete and comprehensive solution. IS is not part of the ACAS contract but is available to purchase outside of the contract, for more information click here.
NNM can be configured to sniff an entire network or just a particular server in which you are interested. For example, if you have a web server that you need to monitor 24/7, you can configure NNM to listen to all incoming and outgoing traffic to this server.
NNM can handle up to 1 Gbps full packet capturing, but is still effective at rates beyond that. Though not available via ACAS, Tenable offers a 10 Gbps version of NNM. For more information about the 10 Gbps version, contact sales.
Yes. NNM looks for text like 'amex', 'visa', 'top secret', etc., and pulls out those numbers and logs them in real-time.
Yes. NNM can detect new user SIDs going across the network.
Yes, NNM can detect rogue hosts on the network and trigger custom workflows.
Yes, NNM can be used to eliminate the need for discovery scans by triggering credentialed scans when detecting hosts connecting to the network.
NNM can detect that the traffic is encrypted, but NNM won't be able to natively decrypt and detect the vulnerabilities within that traffic. NNM is able to tell whether the communication is incoming or outgoing. If you utilize SSL Taps, you do have the potential to review SSL encrypted data using NNM.
Log Correlation Engine (LCE) is designed to aggregate, normalize, correlate, and analyze event log data from raw network traffic, intrusion detection data, system and application logs, and user activity within your infrastructure. For more information on LCE, click here.
LCE enables you to:
Out of the box, Splunk does not provide active correlation of vulnerability data. Using LCE, you have the ability to instantly provide out of the box correlation of data over a multitude of data sources to provide analysis for compliance and vulnerability data that will enable you to search for indicators of compromise. Additionally, LCE has a Splunk connector. Once data is correlated, it can be sent to Splunk for analysis and alerting. This can help reduce license cost while improving the quality of data going into Splunk.
Yes. Using a lightweight agent install on a Windows host, LCE enables you to securely retrieve windows, system, and application log data.
Yes. LCE has agents for Windows and Unix/Linux host operating systems.
No. To pull data from devices such as routers and switches, LCE supports receiving SYSLOG data.
LCE agents provide log data retrieval, compression, and encryption. Additionally, they provide File Integrity Monitoring (FIM).
LCE hashes files, folders, and directories that you select. It monitors these for changes and creates an event which can be used to trigger a workflow when a change is detected. For example, when monitoring changes on your /ETC/HOSTS folder, LCE could provide you with an indicator of compromise, as these files shouldn't change much. If they do, it is often an indicator of compromise.
Yes. A Log Calculator is available upon request. Contact support to request it.
Yes. LCE will enable you to set log retention guidelines.
Yes. Once log data is collected, it is signed/hashed and stored. This helps ensure forensic authenticity of log data in the event it is needed as part of any investigation.
Yes. There is an Active/Active version of LCE often used for high value targets where no log data can be lost. Contact sales for more information.
Yes. LCE provides compression of log data both in transit and when stored.
Yes. LCE encrypts data in transit between LCE and the source host if the agent is used.
You can get more information on LCE by emailing sales.
Yes, as are all SecurityCenter Continuous View (SCCV) products: Nessus, Passive Vulnerability Scanner (PVS), and Log Correlation Engine (LCE). Additionally, SecurityCenter now supports Proximity Card Authentication.
The ACAS program office provides training classes to all ACAS users. Some of these classes are virtual and others are in-person. Information on these classes can be found here.
Additionally, Tenable has opened up its training catalogue to ACAS users. Visit the ASK-ACAS.INFO training section for details on how you can gain access to the Tenable training material.
Training material is provided to Tenable's commercial customers as part of their support package. Tenable has agreed to open this material up to ACAS users despite the fact they are not directly supported by Tenable. The initial offering will be for non-ACAS specific content. Tenable is diligently working to provide ACAS-specific content that will help ensure users have a wide range of training options while waiting to attend a DISA-provided class.
Downloads ofx all Tenable products are available at https://www.tenable.com/downloads, including products licensed through ACAS. You will only be able to license products available through ACAS unless you have purchased them outside of the ACAS program.