Organizations working with the DoD are probably familiar, in part, with the compliance demands for vulnerability scanning and risk assessment. The increasing sophistication of cyberattacks has led to increased attention on the Defense Industrial Base (DIB) supply chain and DoD contractors, especially on their ability to maintain effective cybersecurity postures.
A critical tool for DoD compliance is the Assured Compliance and Assessment Solution (ACAS). This tool is intended as a way to measure enterprise networks in the DoD supply chain against DoD compliance standards and identify any potential or known system vulnerabilities.
Here, we will discuss ACAS, what it means for your organization and its relationship with companies like Perspecta and Tenable.
What are ACAS and Tenable?
ACAS is primarily a Commercial Off-the-Shelf (COTS) suite of software vulnerability scanning tools for networks and applications. Following challenges in the federal and DoD supply chain due to poor visibility into security and data systems, the Defense Information Systems Agency (DISA) awarded Tenable a contract to develop products that could assess enterprise networks and systems within the guidelines of DoD compliance standards.
The goal? Complete visibility for security teams through a distributed set of applications that all SIPRNet systems must implement.
That being said, when people discuss ACAS solutions, most likely they are referring to the Tenable suite of products. That’s because the Tenable suite of DoD services is quite comprehensive and accurate within the DoD contractor space. These Tenable components include:
- Tenable.sc: A real-time and continuous network monitoring tool built on Nessus technology that serves as a central repository for data collected by Tenable technologies. This tool also helps organizations find vulnerabilities and security gaps in their networks before they become problems down the road.
Tenable.sc also includes the Passive Vulnerability Scanner (PVS) that continuously monitors your organization’s network at a packet level for wide-ranging and comprehensive network analytics. Unlike the active Tenable.sc or Nessus scanners, PVS operates as a sort of tripwire and constant security presence on your network.
- Tenable.io: A suite of unlimited Nessus scanners, based in a cloud deployment and supporting advanced analytics and scalability. This tool serves as an active network scanner with strong, Role-Based Access Controls (RBAC) and does much of what Tenable.io does, simply as a cloud deployment.
Tenable.sc is the backbone of their ACAS solutions, providing several layers of controls and additional vulnerability analytics components that include:
- Assurance Report Cards: A continuous metric derived from measurements of network security effectiveness as your current system measures against compliance demands and internal strategic objectives.
- Advanced Analytics and Trending: Network and system insights allow you to intelligently prioritize cybersecurity and compliance demands based on real-time events and configurations.
- Customizable Dashboards and Reports: A unique and tailored analytics dashboard to give contractors the specific information they need.
- Cumulative Scan Results: Aggregate information from multiple scanning on-prem Nessus scanning channels.
Is ACAS Just Tenable by Another Name?
This point is where many organizations and even experts get confused when first entering this space.
To clarify: ACAS is the set of network tools determined by DISA in 2012 to serve a necessary security function for use with the DoD Information Network (including NIPRNet and SIPRNet components and connections). Contracts for developing ACAS solutions went to Tenable and Hewlett Packard Enterprise Systems (Now Perspecta). Both companies partnered to provide this software package to the DoD, with Tenable solutions serving as the backbone of the scanning and monitoring capabilities.
For all intents and purposes, when referring to ACAS most individuals are referring to Tenable products.
SecureStrux and Managed Tenable ACAS Services
The ACAS package of solutions does provide a comprehensive and necessary security package for DoD contractors. Implementing these tools within your unique business and IT infrastructure isn’t a given, however, and still falls under general best practices for effective security and compliance.
Consider the three primary areas where ACAS and Tenable adoption will impact your organization:
- Implementation: Implementing Tenable into your existing infrastructure is a solvable problem. While some security firms suggest that clients change out existing components and technologies as part of their ACAS journey, we work to ensure that, whenever possible, you can continue with your existing tools and infrastructure.
- SIPRNet and NIPRNet Integration: Building out SIPRNet and NIPRNet Enclaves is one of our most important services, and we combine ACAS integration with complete SIPRNet and NIPRNet enclave buildout.
- Staff Training and Education: On-site and virtual training for ACAS tools provide your team with the information they need to use them effectively.
That’s why we’ve spent years learning and understanding how ACAS works, and our security engineers and compliance experts have also become knowledgeable with Tenable solutions to support our clients. We help you implement cloud-based Tenable, Nesses and ACAS products to support compliance and ongoing network monitoring and vulnerability management across your entire organization.
We are open to short-term consulting and long-term managed security services that include ACAS support. We help contractors in the Defense Industrial Base meet their cybersecurity and compliance goals regardless of size or structure. From start to finish, we are a dedicated defense cybersecurity firm that can help you manage your cybersecurity systems and focus on providing the unique services you offer the DoD to aid in the defense and well-being of our country.
To learn more about our managed security and Tenable/ACAS services, contact our sales and service team today.