Configure Tenable Nessus Agent for NIAP Compliance

If your organization requires that Tenable Nessus Agent meets National Information Assurance Partnership (NIAP) standards, you can configure Tenable Nessus Agent so that relevant settings are compliant with NIAP standards.

Before you begin:

  • If Tenable Nessus Agent is linked to Tenable Nessus Manager, verify that the CA certificate of Tenable Nessus Manager is in custom_CA.inc or known_CA.inc.
  • Confirm you have enabled the full disk encryption capabilities provided by the operating system on the host where Tenable Nessus Agent is installed.

To configure Tenable Nessus Agent for NIAP compliance:

  1. Access the agent from the command line interface.
  2. Enable NIAP mode using the command line interface:
    • In the command line, enter the following command:

      nessuscli fix --set niap_mode=enforcing

      Linux example:

      /opt/nessus_agent/sbin/nessuscli fix --set niap_mode=enforcing

    Tenable Nessus Agent does the following:

    Note: When Tenable Nessus Agent is in NIAP mode, Tenable Nessus Agent overrides the following settings as long as Tenable Nessus Agent remains in NIAP mode. If you disable NIAP mode, Tenable Nessus Agent reverts to what you had set before.

    • Overrides the SSL mode (ssl_mode) with TLS 1.2 (niap).

    • Overrides the SSL cipher list (ssl_cipher_list) setting with NIAP-compliant ciphers (niap), which sets the following ciphers: 

      • ECDHE-RSA-AES128-SHA256

      • ECDHE-RSA-AES128-GCM-SHA256

      • ECDHE-RSA-AES256-SHA384

      • ECDHE-RSA-AES256-GCM-SHA384

    • Uses strict certificate validation:

      • Disallows certificate chains if any intermediate certificate lacks the CA extension.

      • Authenticates a server certificate, using the signing CA certificate.

      • Authenticates a client certificate when using client certificate authentication for login.

      • Checks the revocation status of a CA certificate using the Online Certificate Status Protocol (OCSP). If the certificate is revoked, then the certificate is marked as invalid. If there is no response, then the certificate is not marked as invalid, and its use is permitted if it is otherwise valid.

      • Ensures that the certificate has a valid, trusted CA that is in known_CA.inc. CA Certificates for Tenable Vulnerability Management and plugins.nessus.org are already in known_CA.inc in the plugins directory.

      • If linked to Tenable Nessus Manager, verifies that the CA certificate of Tenable Nessus Manager is found in custom_CA.inc or known_CA.inc.

    • Enforces the current validated FIPS module for agent communication and database encryption. The FIPS module does not affect scanning encryption.

      Note: You can enforce the FIPS module from the agent nessuscli utility without enforcing NIAP mode. For more information, see Tenable Nessus Agent CLI Commands .