The Assured Compliance Assessment Solution (ACAS) is a suite of COTS applications that each meet a variety of security objectives and was developed by Tenable. The new DISA program awarded Tenable the DoD contract in 2012 and the deployment of ACAS throughout the enterprise has been occurring slowly but surely. The switch to ACAS was done in an effort to more unify security assessment reporting so that leadership can view and measure the overall security posture of the entire IT infrastructure. Below is a breakdown of some of the ACAS components and some of the challenges an agency may face when deploying ACAS.
Many security practitioners are familiar with the product Nessus as it’s been around for many years. Nessus is the scanning component of ACAS that is compliant with not only CVE vulnerability identifiers, but also DISA STIGs. This is one of the main advantages of Nessus over DoD’s previous scanner, Retina. In the DoD world, the compliance with STIGS is just as important as the compliance with software vulnerabilities. The library of Nessus plugins (audit files) is massive and is updated almost daily to account for the latest threat vectors.
Passive Vulnerability Scanner
The main purpose of Passive Vulnerability Scanner (PVS) is to monitor network traffic at the packet level. While Nessus monitors device vulnerabilities, PVS monitors the network traffic traversing your network for vulnerabilities. Please note that PVS is not an IDS and does not replace one in your network. PVS provides the ability to discover new hosts added to a network, find out which ports are passing traffic across the network, identify when applications are compromised, and monitor mobile devices connected to your network.
Security Center (SC) is the central management console for the configuration of Nessus & PVS. SC can collect scan data from all PVS and Nessus instances to provide custom dashboard and reports. One of the neat features of SC is the ability to roll-up SC instances for reporting purposes. This allows the DoD to deploy SC at various levels with all of them reporting to one or more main SC instances. As you can imagine, this reporting capability can be very beneficial as leadership now has the ability to view policy, vulnerability compliance, and total IT assets across the enterprise. Assessing the security posture of the DoD’s infrastructure is now easier than ever.
Deploying ACAS into your environment will require training, personnel resources, and time. As mentioned above, ACAS consists of multiple applications (some of which are not mentioned) that will each need to be configured and tested. Your security practitioners should ideally enroll in DISA-sponsored Computer Based Training (CBT) courses to get a better idea of what’s involved in deploying ACAS. Also, keep in mind that ACAS itself will need to be STIGe’d, so ideally a baseline DoD image should be used as your platform from the start. Lastly, you’ll want to measure the load that ACAS puts on your network during the testing phase as to not impact normal day to day mission operations. The two components of ACAS you’ll have to monitor for load are Nessus and PVS. Nessus is considered the active scanner while PVS is passive. However, PVS by virtue of network probing can in many cases put more load on your network than running a typical Nessus scan.
The DoD continues to develop their comprehensive security program to account for the ever changing cyber threat landscape. ACAS is just one of many security programs DoD has put in place to protect sensitive information. ACAS offers a more streamlined, centralized method for running scans, collecting scan data, and provides highly customizable reports that provide senior leadership the ability to measure the effectiveness of its security program.