Menu

Frequently Asked Questions

General

What is ACAS?

In 2012, the Defense Information Systems Agency (DISA) awarded the Assured Compliance Assessment Solution (ACAS) to HP Enterprise Services, (Now Perspecta)  and Tenable, Inc., the leader in Cyber Exposure, vulnerability management, continuous network monitoring, advanced analytics, and context-aware security. ACAS continues to be the solution for assessing U.S. Department of Defense (DoD) enterprise networks and connected IT systems against DoD standards, as well as to identify any known system vulnerabilities.

Download the solution brief

What can ACAS do?

ACAS is the selected platform for Vulnerability Management and reporting for the DoD and related agencies. ACAS provides asset tracking and vulnerability management required by Continuous Monitoring and Risk Scoring (CMRS) and Command Cyber Readiness Inspections (CCRI). ACAS provides the ability to detect assets and vulnerabilities using several sensors including active scanning, passive discovery, agent based scanning, and event analysis. Agencies are provided with the ability to run configuration audits using SCAP files or Tenable STIG Audit files.

Who must use ACAS?

ACAS is mandated for DoD use by various U.S. Cyber Command task orders, including USCYBERCOM TASKORD 13-0670, 'Implementation of Assured Compliance Assessment Solution (ACAS) for the Enterprise.' DISA OPORD 14-037 is an important reference for DISA systems. The intent is to improve the "capability of DoD to quickly and accurately assess the security posture of DoD enterprise networks." The ACAS capability aligns with DoD Enterprise Secure Configuration Management and continuous monitoring initiatives.

What Products are included in ACAS?
Solution ACAS Provided
Nessus® Professional No
Nessus® Manager Yes
Tenable.io® No
Nessus Agents Yes
Nessus (Scanners controlled by Tenable.sc) Yes
1GB Nessus Network Monitor (formerly Passive Vulnerability Scanner or PVS) Yes
10GB Nessus Network Monitor (formerly Passive Vulnerability Scanner or PVS) No, but recommended
5TB Log Correlation Engine (LCE) Yes
Log Correlation Engine (LCE) greater than 5TB No, but recommended
Tenable.sc™ (formerly SecurityCenter) Yes
Tenable.sc™ Continuous View Yes
Can I use/am I allowed to use software not provided by ACAS?

Yes! You may elect to purchase software not included in the ACAS contract. There are many ACAS users who have elected to purchase additional components, such as 10 GB NNM or Log Correlation Engine (LCE) greater than a 5TB license to complement their ACAS deployments. Contact the Tenable ACAS team for more information. Each organization/command has different rules regarding the use of software within their environments. Check with your Approving Officer (AO) for rules regarding the use of new software.

Each organization/command has different rules regarding the use of software within their environments. Check with your Approving Officer (AO) and/or Director of Information Management (DOIM) for rules regarding the use of new software.

What if I buy a piece of software and ACAS starts providing it?

No problem! If you buy a component not provided by ACAS, and the ACAS office provides it later, turn off your subscription and convert the licenses over to the ACAS licenses. All software sold by Tenable is sold using the subscription model. Simply put, you can cancel your subscription at any time. Further, the licensing model provides minimal startup costs and easy-to-project pricing for all users.

Licensing

Is ACAS only for Non-Secure Internet Protocol (NIPR)?

No, ACAS can be used on any DoD combat mission system regardless of classification. Note: the DISA ACAS Helpdesk only provides support up to the Secret Level (SIPR). For more information on supporting classified networks contact DISA support.

Where do I get an ACAS license?

Through the ACAS licensing portal at https://www.disa.mil/cybersecurity/network-defense/acas.

When does my license expire?

Licenses expire in February the year after you acquired the license. For example, a license acquired in 2018 will expire in February 2019.

How do I renew my license?

Through the ACAS licensing portal at https://www.disa.mil/cybersecurity/network-defense/acas.

I am a contractor. Can my company use ACAS licensing?

No, your company must buy licensing directly from Tenable. Software included in the ACAS program is available to DoD and DISA enterprise systems at no cost. The software must be used on DoD-owned mission systems and NOT contractor-owned systems.

Examples for valid licensing use:
  • The United States Air Force (USAF) hires contractor "X" to manage the IT infrastructure for its "Y" project. The infrastructure is part of the USAF.MIL network.
  • The U.S. Navy has sailors conduct SCAP compliance scans on computers aboard the CVN-75, the Harry S. Truman.
Examples for invalid licensing use:
  • The United States Army hired contractor "X" to develop a new battle tank. Contractor "X" may not use ACAS licenses on corporate-owned networks to develop the battle tank.
  • Contractor "X" builds a cloud infrastructure where DoD entities can purchase hosting capacity.

Support

How do I contact support?

If you are using an ACAS license on a product obtained through the ACAS program office, you must utilize the DISA Helpdesk in Oklahoma City. Please visit the DISA website for contact information.  If you purchased product licenses from Tenable, the se the Tenable Community to open a support case.

System Requirements

What does ACAS run on?

 ACAS provides licenses for several products, each with different system requirements. Each product, hardware, and software requirements are listed below.

What versions of Linux are supported?

Red Hat Enterprise Server 5 (64-bit), 6 (64-bit) and 7 (64-bit). CentOS 5 (64-bit), CentOS 6 (64-bit) and 7 (64-bit) are also officially supported.

What if I don't know Linux?

DISA provides a Kickstart CD that helps Linux novices deploy the ACAS suite. Check the DISA ACAS portal for the Kickstart offerings.

Can I use a free version of Linux?

Yes. CentOS is a free distribution of Linux that is compatible with ACAS software. Note: Check with your Approving Officer (AO) and/or Director of Information Management (DOIM) for information on eligibility or support.

Does ACAS Support SELinux for Tenable.sc?

Yes. SELinux policy configuration is supported in a "Permissive" mode.

Are there virtual appliances for ACAS?

Tenable does offer virtual appliances, but the ACAS program office has never accredited them within the ACAS program.

Are there additional guidelines to be considered when deploying ACAS?

Please consider the following:

  • If the Nessus scanner is deployed on the same system as Tenable.sc (formerly SecurityCenter), there will be less CPU and memory available during scans, causing slower performance. Use multi-core and/or multiple CPU servers to alleviate this. Placing the scanner on a secondary machine will alleviate performance bottlenecks.
  • If one or more NNM’s are in use, use multi-core and/or multiple CPU servers to increase performance.
  • Use the aggregate of the individual software product resource requirements to determine total hardware system requirements.
  • If Nessus, NNM, or LCE are deployed on the same server as Tenable.sc, consider configuring the server with multiple network cards and IP addresses.
  • Tenable recommends either 10K, 15K rpm SAS, or solid state drives in a RAID 0/10 configuration for max write/query performance.

Plugins

How often are plugins updated?

Tenable has a full-time threat intelligence team that develops new plugins and updates existing plugins on a daily basis. Since attackers don't have a 9-5 job, Tenable works around the clock to provide plugins to respond to ever-evolving threats.

Who manages the plugin feeds for ACAS?

Twice daily the HP/DISA team downloads, reviews, and publishes Tenable's latest plugins to the DISA ACAS patch repository. Since moving the files to SIPR is a manual process, the SIPR plugins have a slight delay compared to unclassified networks.

Can you create custom plugins?

Yes. You can create custom plugins and [email protected] files. Tenable offers documentation and Professional Services to write custom plugins. Contact Tenable ACAS Team for more information.

What is the difference between a plugin versus ".Audit" file?

Nessus plugins are used to detect vulnerabilities (IE: missing patches), whereas audits are used to determine that servers are configured correctly or are "compliant" with a particular standard. The advantage of using Nessus to perform vulnerability scans and compliance audits is that all of this data can be obtained at one time. Knowing how a server is configured, how it is patched, and what vulnerabilities are present can help determine measures to mitigate risk. At a higher level, if this information is aggregated for an entire network or asset class (as with Tenable's SecurityCenter), security and risk can be analyzed globally. This enables auditors and network managers to spot trends in non-compliant systems and adjust controls to fix these on a larger scale.

How can I request additional .Audit files not posted on the DISA ACAS Portal?

Email the DISA Helpdesk or contact support.

SCAP

What is SCAP?

The Security Content Automation Protocol (SCAP) is a line of standards managed by NIST. It was created to provide a standardized approach to maintaining the security of enterprise systems, such as automatically verifying the presence of patches, checking system security configuration settings, and examining systems for signs of compromise.

SCAP benchmark audit files assign a severity code to each system security weakness to indicate the risk level associated with the security weakness and the urgency with which the corrective action must be completed.

This collection presents the analyst with vulnerability information within the environment. Data is prioritized based on the number of SCAP severity vulnerability concerns; on networks that have SCAP vulnerability results; when audits have been performed; through an IP summary; and with a "failing items" SCAP vulnerability summary.

Is ACAS SCAP certified?

Yes. SecurityCenter 5.x received its SCAP 1.2 certification in August 2015.

How do I use SCAP?

SCAP files are available through the  NIST website. After downloading the SCAP file, load the file into Tenable.sc much in the same way as a Tenable Audit file.  Set the classification and other settings. Then associate the SCAP file with scan policy. Now you are ready to run an SCAP assessment against a target system.  Here is a video showing this process.

Where can I get more information on SCAP?

More information is available on the SCAP website.

Classified Networks

Can ACAS be used on classified networks?

Yes! ACAS can be used on any DoD Combat Mission System regardless of classification.

Can I get support for classified deployments?

Yes. For inquiries on support on higher classified environments, please contact support.

Is there a guide for updating ACAS products in air-gapped networks?

Yes, there is DISA maintained information  on the DISA Patch Repository (requires CAC email certificate).  A Tenable maintained guide can be found here.

Reporting

What is Continuous Monitoring Risk Scoring (CMRS)?

The CMRS site receives vulnerability inputs from other sources and displays them. ACAS and Host Based Security System (HBSS) feed CMRS, which displays vulnerabilities and totals by the accountable agency. This means the accrediting agency and accountable system owner will see all vulnerabilities associated with their system in CMRS.

Where can I find out more information on CMRS?

Please contact DISA for more information on CMRS.

Tenable.sc

What is Tenable.sc Continuous View?

Tenable.sc Continuous View (Tenable.sc CV) deploys 4 vulnerability data collectors, Active Scanning, Passive Discovery, Agent Scanning, and Event Analysis. Using all 4 data collectors, the organization can get a continuous view of vulnerability data within their network.

Is Tenable.sc CAC-enabled?

Yes, as are all Tenable.sc CV products: Nessus, Nessus Network Monitor (NNM) and Log Correlation Engine (LCE). Additionally, Tenable.sc supports Proximity Card Authentication.

Tenable.sc supports the following feature and enhancements:

  • Assurance Report Cards (ARCs) are used to measure effectiveness of the security program, based on business objectives, including pre-defined ARCs focused on monitoring the top five security objective Critical Cyber Controls (CCC) that have the greatest impact to ensuring security posture.
  • Advanced analytics that provide contextual insight and actionable information to prioritize security issues.
  • Improved searching and trending of scan and event data to speed up analysis, as well as many other additional enhancements.
  • Support for Nessus Agents collect data from previously inaccessible systems. Without agents, transient systems like laptops, which were often disconnected from the network when traditional scans were run, simply did not get scanned. Additionally, scanning remote systems over limited bandwidth connections and scanning across complex, segmented networks was often not easy or feasible.
How do I know what version of Tenable.sc (formerly SecurityCenter) I’m using?
  1. To view which version of Tenable.sc you are using, perform the following steps:
  2. Log in to Tenable.sc.
  3. In the upper-right corner, under your login ID, click the down arrow, and then click About.
  4. The dialog box displays the version of Tenable.sc currently running.

Nessus, Nessus Professional, Nessus Manager

What is Nessus Professional?

Nessus is the de-facto industry standard vulnerability assessment solution for security practitioners. Nessus helps DoD security professionals quickly and easily identify and fix vulnerabilities - including software flaws, missing patches, malware, and misconfigurations - across a variety of operating systems, devices and applications.

Is Nessus Professional part of ACAS?

No. Nessus Professional is NOT part of ACAS. Nessus Professional is an independent scanner used for auditing. The version of Nessus provided by ACAS is a special version of the scanner that is managed by Tenable.sc.

How can I audit an air-gapped network?

You need to install SecurityCenter with a Nessus scanner on the laptop and conduct your scans via Tenable.sc. Though not optimal, the licensing structure of ACAS does not allow for the use of Nessus Professional, which would facilitate scanning without an installation of Tenable.sc.

What can Nessus scan for?

Nessus provides:

  • Discovery: Accurate, high-speed asset discovery
  • Scanning: Vulnerability scanning (including IPv4/IPv6/hybrid networks)
  • Un-credentialed vulnerability discovery
  • Credentialed scanning for system hardening and missing patches
  • Coverage: Broad asset coverage and profiling
  • Network devices: firewalls/routers/switches (Juniper, Check Point, Cisco, Palo Alto Networks), printers, storage
  • Offline configuration auditing of network devices
  • Virtualization: VMware ESX, ESXi, vSphere, vCenter, Microsoft, Hyper-V, Citrix Xen Server
  • Operating systems: Windows, OS X, Linux, Solaris, FreeBSD, Cisco iOS, IBM iSeries
  • Databases: Oracle, SQL Server, MySQL, DB2, Informix/DRDA, PostgreSQL, MongoDB
  • Web applications: Web servers, web services, OWASP vulnerabilities
  • Cloud: Scans the configuration of cloud applications like Salesforce and cloud instances like AWS and Rackspace
  • Compliance: Helps meet government, regulatory and corporate requirements
  • Helps meet several PCI DSS requirements through configuration auditing, web application scanning
  • Threats: Botnet/malicious, process/anti-virus auditing
  • Detect viruses, malware, backdoors, hosts communicating with botnet-infected systems, known/unknown processes, web services linking to malicious content
  • Compliance auditing: FFIEC, FISMA, CyberScope, GLBA, HIPAA/ HITECH, NERC, PCI, SCAP, SOX -
  • Configuration auditing: CERT, CIS, COBIT/ITIL, DISA STIGs, FDCC, ISO, NIST, NSA
  • Control Systems Auditing: SCADA systems, embedded devices and ICS applications
  • Sensitive Content Auditing: PII (e.g., credit card numbers, SSNs)

For more information on Nessus, click here.

What is Nessus Manager?

The primary purpose for Nessus Manager is to perform agent management and agent scan operations for on-premise infrastructure (10,000 systems).  Nessus Manager is used to configure agent scans, manage agent groups, and perform as the front-end connection for collecting agent data. Agent scans in Tenable.sc were configured to retrieve Nessus Agent scan results from Nessus Manager.  Nessus Manager automatically has plugin and version updates to Nessus Agents. More information on Nessus Manager performance can be found here.

Is Nessus Manager available as part of ACAS?

Yes, Nessus Manager and Nessus Agents are included oin the ACAS contract.

Nessus Network Monitor (NNM)

What is Nessus Network Monitor?

NNM is a passive vulnerability scanner. Do you know what happens between the last time an active vulnerability scan is completed and the next time a scan is completed? New hosts, new ports, new services, and new vulnerabilities can arrive on your networks faster than you may be allowed to scan for them. NNM can find out what is happening on your network without scheduling and waiting for an active scan. As NNM monitors your network for potential application compromises, trust relationships, and open or browsed network protocols. For more info on NNM, click here.

Is NNM an Intrusion Detection System (IDS)

No, NNM is deployed in a strategic location to monitor workstation and server communications to be more preemptive in nature. NNM is designed to provide the analysts with near to real time vulnerability detection and asset discovery. While not an IDS or Network Access Control (NAC), NNM uses similar techniques to reduce active scanning efforts. For example, NNM can detect new devices and launch vulnerability scans, or send emails when new services are detected. NNM is a powerful differentiator Tenable.sc provides to the ACAS program.

Where do I deploy NNM in my network?

NNM is typically installed connected to a mirrored or SPAN port. However, NNM can also be installed on specific application servers such as DNS, DHCP, or file servers. By deploying NNM on key systems on the network, Tenable.sc is able to better detect assets on the network and perform vulnerability assessments

Can NNM scan sensitive devices such as SCADA?

Yes, NNM monitors network traffic for potential problems and detects otherwise un-scannable devices and highly-sensitive systems such as Supervisory Control and Data Acquisition (SCADA) or medical devices. This passive scanning is invaluable to the security of these sensitive devices and networks. While NNM provides a limited passive scanning ability with Industrial Control Services (ICS) or SCADA, Tenable Industrial Security (IS) is a more complete and comprehensive solution.  IS is not part of the ACAS contract but is available to purchase outside of the contract, for more information click here.

Can NNM sniff an entire network/or specific IP range(s)?

NNM can be configured to sniff an entire network or just a particular server in which you are interested. For example, if you have a web server that you need to monitor 24/7, you can configure NNM to listen to all incoming and outgoing traffic to this server.

How much data throughput can NNM effectively handle?

NNM can handle up to 1 Gbps full packet capturing, but is still effective at rates beyond that. Though not available via ACAS, Tenable offers a 10 Gbps version of NNM. For more information about the 10 Gbps version, contact sales.

Can NNM sniff for classified information, social security numbers, and PII data?

Yes. NNM looks for text like 'amex', 'visa', 'top secret', etc., and pulls out those numbers and logs them in real-time.

Can NNM detect new users on a network?

Yes. NNM can detect new user SIDs going across the network.

Can NNM detect rogue hosts on the network?

Yes, NNM can detect rogue hosts on the network and trigger custom workflows.

Can NNM be used to eliminate the need for discovery scans?

Yes, NNM can be used to eliminate the need for discovery scans by triggering credentialed scans when detecting hosts connecting to the network.

Can NNM listen to encrypted data?

NNM can detect that the traffic is encrypted, but NNM won't be able to natively decrypt and detect the vulnerabilities within that traffic. NNM is able to tell whether the communication is incoming or outgoing. If you utilize SSL Taps, you do have the potential to review SSL encrypted data using NNM.

Log Correlation Engine (LCE)

What is Log Correlation Engine?

Log Correlation Engine (LCE) is designed to aggregate, normalize, correlate, and analyze event log data from raw network traffic, intrusion detection data, system and application logs, and user activity within your infrastructure. For more information on LCE, click here.

Why do I need LCE?

 LCE enables you to:

  • Normalize, correlate, and analyze user and network activity from log data generated by any device or application across the enterprise in a central CAC enabled portal
  • Store, compress, and perform full-text search on any log generated by thousands of network devices and applications.
  • Demonstrate compliance with internal policies and regulatory requirements by maintaining an auditable infrastructure.
  • Monitor files and directories for unauthorized changes and deletions.
  • Detect malware and malicious system processes running in your environment.
  • Aid in incident response by saving searched data in a compressed format along with a checksum so the data can be used as forensic evidence.
  • Capture user access logs and behavior for insider threat profiling to determine exactly where your employees surf on the Internet, what systems they access, and what programs they run.
  • Categorize logs not matching existing rules as 'not-matched' and store them for further analysis providing insight on activities that previously would be overlooked.
  • Initiate full text searches making attack analysis and mitigation faster and more effective, yielding enhanced operations productivity.
  • Monitor local and remote Windows systems for USB devices, CD-ROM, and DVD activity.
  • Automatically detect deviations from baseline activity for any log source including firewall spikes, changes in web application error rates, and denial of service attacks.
  • Provide executive reports and metrics to continually assess your security and compliance posture.
If I have Splunk, why would I want to use LCE?

Out of the box, Splunk does not provide active correlation of vulnerability data. Using LCE, you have the ability to instantly provide out of the box correlation of data over a multitude of data sources to provide analysis for compliance and vulnerability data that will enable you to search for indicators of compromise. Additionally, LCE has a Splunk connector. Once data is correlated, it can be sent to Splunk for analysis and alerting. This can help reduce license cost while improving the quality of data going into Splunk.

Does LCE Support Windows Log Management?

Yes. Using a lightweight agent install on a Windows host, LCE enables you to securely retrieve windows, system, and application log data.

Does LCE have an agent?

Yes. LCE has agents for Windows and Unix/Linux host operating systems.

Is there an agent for Routers, Switches, Firewalls, etc.?

No. To pull data from devices such as routers and switches, LCE supports receiving SYSLOG data.

What does the LCE Agent do?

LCE agents provide log data retrieval, compression, and encryption. Additionally, they provide File Integrity Monitoring (FIM).

How does LCE do File Integrity Monitoring?

LCE hashes files, folders, and directories that you select. It monitors these for changes and creates an event which can be used to trigger a workflow when a change is detected. For example, when monitoring changes on your /ETC/HOSTS folder, LCE could provide you with an indicator of compromise, as these files shouldn't change much. If they do, it is often an indicator of compromise.

Is there an easy way to calculate how much log data I will generate?

Yes. A Log Calculator is available upon request. Contact support to request it.

Can I set log retention guidelines?

Yes. LCE will enable you to set log retention guidelines.

Is LCE data protected?

Yes. Once log data is collected, it is signed/hashed and stored. This helps ensure forensic authenticity of log data in the event it is needed as part of any investigation.

Is there a high availability version of LCE?

Yes. There is an Active/Active version of LCE often used for high value targets where no log data can be lost. Contact sales for more information.

Does LCE compress log data?

Yes. LCE provides compression of log data both in transit and when stored.

Does LCE encrypt log data?

Yes. LCE encrypts data in transit between LCE and the source host if the agent is used.

How do I get LCE?

You can get more information on LCE by emailing sales.

Is LCE CAC-enabled?

Yes, as are all SecurityCenter Continuous View (SCCV) products: Nessus, Passive Vulnerability Scanner (PVS), and Log Correlation Engine (LCE). Additionally, SecurityCenter now supports Proximity Card Authentication.

Training

How is ACAS Training handled?

The ACAS program office provides training classes to all ACAS users. Some of these classes are virtual and others are in-person. Information on these classes can be found here.

Additionally, Tenable has opened up its training catalogue to ACAS users. Visit the ASK-ACAS.INFO training section for details on how you can gain access to the Tenable training material.

What does the ASK-ACAS.INFO training provide?

Training material is provided to Tenable's commercial customers as part of their support package. Tenable has agreed to open this material up to ACAS users despite the fact they are not directly supported by Tenable. The initial offering will be for non-ACAS specific content. Tenable is diligently working to provide ACAS-specific content that will help ensure users have a wide range of training options while waiting to attend a DISA-provided class.

Software Downloads

Where can I download Tenable products and product updates?

Downloads ofx all Tenable products are available at https://www.tenable.com/downloads, including products licensed through ACAS. You will only be able to license products available through ACAS unless you have purchased them outside of the ACAS program.

Ask a question, get information, start a discussion

Join the Community