Government agencies and contractors in the supply chain face threats every single day. If you haven’t read the news lately, our national infrastructure and data systems face significant challenges in maintaining the security and integrity of their devices, applications and network resources. When agencies and contractors want to connect to any sensitive system, the Department of Defense requires that they utilize the Assured Compliance Assessment Solution (ACAS).
This suite of vulnerability scanning software provides passive and active search capabilities that promote high levels of network security and compliance while standardizing these tools for organizations no matter where they are at.
What is Assured Compliance Assessment Solution (ACAS)?
ACAS is an initiative implemented by the Department of Defense in 2012 to mandate a suite of vulnerability scanning and testing tools for contractors in the DoD supply chain.
The impetus for ACAS and its introduction into the supply chain is the necessary security around the Secret Internet Protocol Network (SIPRNet) and other aspects of the Defense Information Systems Agency (DISA). SIPRNet is the secure network through which defense agencies and contractors store and transmit classified information with the SECRET descriptor. Much like a private Internet in its own right, SIPRNet allows organizations and individuals with clearance to publish web pages and other information that contains classified data.
Accordingly, the technical infrastructure around not only the network itself but all devices connecting to it must meet rigorous security standards. The DoD decided that part of that security should include regular, structured information security and vulnerability scanning. Note that this isn’t the same as undergoing penetration testing.
Implementation of ACAS tools is mandated by the DoD for any agency or contractor that connects to DISA networks.
Within the umbrella of ACAS are several components that play a role in how that technology works:
- Nessus: Nessus serves as the scanning portion of ACAS and scans for device vulnerabilities. Replacing the previous Retina scanner employed by the DoD, the Nessus scanner library is updated almost daily to maintain security and compliance with CVE vulnerability identifiers and DISA STIGs.
- Passive Vulnerability Scanners (PVS): PVS monitors packets on the organization’s network. This traffic monitoring supports identifying vulnerabilities at the network level.
- Security Center: The central management dashboard for both Nessus and PVS.
What is Tenable?
When the DoD implemented ACAS as a requirement for agencies and contractors, it awarded contracts to a select few companies to build ACAS software, one of which was Tenable. As of 2021, Tenable has become so synonymous with ACAS that many people in the industry use the terms interchangeably.
With that said, Tenable offers a series of software components that are used for ACAS scanning. These components include:
- Tenable.sc: Tenable.sc is a real-time scanner built on Nessus and PVS. In essence, this software combines two of the ACAS pieces of software (PVS and Nessus) for active and passive device and network scanning.
- Tenable.io: A version of Security Center, Tenable.io serves as a dashboard and analytics center for Tenable.sc, and thus the scanning activity of your ACAS solution.
- Tenable.sc: This provides a comprehensive risk assessment and management infrastructure around your systems, in particular your Tenable scanners.
- Tenable.ad: An Active Directory-specific piece of software that provides ACAS functionality for those unique environments.
Why Are ACAS and Tenable Important for Government Contractors?
The reason the DoD made ACAS mandatory for agencies and contractors across the board is that it standardized the kind of awareness and security posture necessary to promote secure information-handling networks.
Just as important was the necessity of developing solutions that didn’t inhibit the work of these agencies. Tenable products, using Nessus and PVS, are less resource-intensive on the networks the scan, which means that they don’t impact the work underway on those networks.
Finally, because ACAS is is deployable on many different systems, it’s portable and customizable for a variety of different applications, making it a standard tool for security awareness for organizations across the world.
There are, however, challenges that come with implementing ACAS solutions. These challenges include the following:
- Training: Your employees need to know how to operate and update ACAS software, which means extensive training on console configurations and scanners like Nessus and PVS. DISA offers sponsored training to help you get ready for ACAS.
- Security Technical Implementation Guides (STIGs): ACAS, like most DoD requirements, has rigorous requirements. As with other technology, it must meet requirements outlined in DoD STIGs, which means that you should be familiar with DoD-baseline versions of ACAS.
- Testing: While ACAS doesn’t typically overload scanned networks, you will want to test your ACAS implementation to determine how it impacts network performance.
Fortunately, since ACAS is a relatively standardized set of tools, you can count on support from the DoD, DISA and other third-party authorized security agencies to help with deployments and continued maintenance.
Integrating Tenable Solutions With Support From Continuum GRC
Regardless of whether you are a small contractor or an enterprise-grade business, you can contribute to the DoD supply chain. Certain kinds of work, however, require that you use ACAS packages like Tenable to secure your network and devices. That means integrating Tenable into your existing system.
Fortunately, Continuum GRC can help. Our experts are experienced with system engineering and integration to help your secure technologies leverage useful or necessary technologies like Tenable to meet regulations and compliance requirements.
If you are in a position where Tenable is part of your business and technology plan, Continuum GRC can help you integrate the software with your network systems to promote security and compliance without impacting your network performance.
Do You Want to Learn More About Continuum GRC’s Tenable Integration Service?
Call 1-888-896-6207 or complete the form below.