Configure Tenable Nessus Network Monitor for NIAP Compliance

If your organization requires that your instance of Tenable Nessus Network Monitor meets National Information Assurance Partnership (NIAP) standards, you can configure Tenable Nessus Network Monitor so that relevant settings are compliant with NIAP standards.

Before you begin:

• Ensure you are running Tenable Nessus Network Monitor version 5.12.0 or later.

• If you are using SSL certificates to log in to Tenable Nessus Network Monitor, ensure your server and client certificates are NIAP compliant.

• To force all passwords to use NIAP-compliant hashing, the administrator must force resets on all passwords.

• Confirm you have enabled the full disk encryption capabilities provided by the operating system on the host where Tenable Nessus Network Monitor is installed.

To configure Tenable Nessus Network Monitor for NIAP compliance:

1. Log in to Tenable Nessus Network Monitor using one of the following methods:

   • Username and password.

   • SSL certificates, as described in Connect to Tenable Nessus Network Monitor with a User Certificate.

2. Set the Tenable Nessus Network Monitor web server to use TLS 1.2 communications:

   1. Click the button.

   2. Click Configuration.

      By default, the NNM Settings section appears.

   3. In the Setting Type drop-down menu, select NNM Web Server.

   4. Set Use TLS 1.2 to Enabled.

3. Enable NIAP mode:

• In the user interface:

  1. Click the button.

  2. Click Configuration.

     By default, the NNM Settings section appears.

  3. In the Setting Type drop-down menu, select Advanced.

  4. Set Enable NIAP Mode to 1.

• In the command line interface:

  1. Access Tenable Nessus Network Monitor from a command line interface.

  2. In the command line, enter the following command:

     nnm --config "Enable NIAP Mode" 1

     Linux example:

     /opt/nnm/bin/nnm --config "Enable NIAP Mode" 1

• Tenable Nessus Network Monitor does the following:

  • Verifies that Tenable Nessus Network Monitor is using TLS 1.2.

  • Regardless of the Enable Strong Encryption setting, Tenable Nessus Network Monitor overrides the selected cipher suites with the following ciphers: ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384

    Note: When Tenable Nessus Network Monitor is in NIAP mode, Tenable Nessus Network Monitor overrides the cipher suites as long as Tenable Nessus Network Monitor remains in NIAP mode. If you disable NIAP mode, Tenable Nessus Network Monitor reverts to what you had set before.

  • Tenable Nessus Network Monitor uses strict certificate validation:

    • Disallows certificate chains if any intermediate certificate lacks the CA extension.

    • Authenticates a server certificate, using the signing CA certificate.

    • Authenticates a client certificate when using client certificate authentication for login.

    • Checks the revocation status of a CA certificate using the Online Certificate Status Protocol (OCSP). If the response is that the certificate is revoked , then the certificate will be marked as invalid. If there is no response, then the certificate will not be marked as invalid, and its use will be permitted if it is otherwise valid.

Database Encryption

You can convert encrypted databases from the default format (OFB-AES-128) to NIAP-compliant encryption (XTS-AES-256).

Tenable Nessus Network Monitor in NIAP mode can read databases with the default format (OFB-AES-128).

To convert encrypted databases to NIAP-compliant encryption:

1. Stop Tenable Nessus Network Monitor.

2. Ensure NIAP mode is enabled, as described in the previous procedure.

3. Enter the following command:

   nnm security niapconvert

   Tenable Nessus Network Monitor converts encrypted databases to XTS-AES-256 format.