Configure Tenable Nessus for NIAP Compliance

This version of Tenable Nessus is not NIAP-certified, but the niap_mode command still functions as expected.

If your organization requires that your instance of Tenable Nessus meets National Information Assurance Partnership (NIAP) standards, you can configure Tenable Nessus so that relevant settings are compliant with NIAP standards.

Before you begin:

  • If you are using SSL certificates to log in SSL certificates to log in to Tenable Nessus, ensure your server and client certificates are NIAP-compliant. You can either use your own certificates signed by a CA, or you can Create SSL Client Certificates for Login using Tenable Nessus.
  • Confirm you have enabled the full disk encryption capabilities provided by the operating system on the host where you installed Tenable Nessus.

To configure Tenable Nessus for NIAP compliance:

  1. Log in to your instance of Tenable Nessus.
  2. Enable NIAP mode using the command line interface:

    1. Access Tenable Nessus from a command line interface.
    2. In the command line, enter the following command:

      nessuscli fix --set niap_mode=enforcing

      Linux example:

      /opt/nessus/sbin/nessuscli fix --set niap_mode=enforcing

    Tenable Nessus does the following:

    Note: When Tenable Nessus is in NIAP mode, Tenable Nessus overrides the following settings as long as Tenable Nessus remains in NIAP mode. If you disable NIAP mode, Tenable Nessus reverts to what you had set before.

    • Overrides the SSL Mode (ssl_mode_preference) with the TLS 1.2 (niap) option.
    • Overrides the SSL Cipher List (ssl_cipher_list) setting with the NIAP Approved Ciphers (niap) setting, which sets the following ciphers: 
      • ECDHE-RSA-AES128-SHA256
      • ECDHE-RSA-AES128-GCM-SHA256
      • ECDHE-RSA-AES256-SHA384
      • ECDHE-RSA-AES256-GCM-SHA384
    • Uses strict certificate validation:
      • Disallows certificate chains if any intermediate certificate lacks the CA extension.
      • Authenticates a server certificate, using the signing CA certificate.
      • Authenticates a client certificate when using client certificate authentication for login.
      • Checks the revocation status of a CA certificate using the Online Certificate Status Protocol (OCSP). If the certificate is revoked, then Tenable Nessus marks the certificate as invalid. If there is no response, then Tenable Nessus does not mark the certificate as invalid.
      • Ensure that the certificate has a valid, trusted CA that is in known_CA.inc. CA Certificates for Tenable Vulnerability Management and plugins.nessus.org are already in known_CA.inc in the plugins directory.

      • If you want to use a custom CA certificate that is not in known_CA.inc, copy it to custom_CA.inc in the plugins directory.
    • Enforces the current validated FIPS module for Tenable Nessus communication and database encryption. The FIPS module does not affect scanning encryption.

      Note: You can enforce the FIPS module from the nessuscli without enforcing NIAP mode. For more information, see Fix Commands.

Database encryption

You can convert encrypted databases from the default format (OFB-128) to NIAP-compliant encryption (XTS-AES-128).

Tenable Nessus in NIAP mode can read databases with the default format (OFB-128).

To convert encrypted databases to NIAP-compliant encryption:

  1. Stop Tenable Nessus.
  2. Enable NIAP mode, as described in the previous procedure.
  3. Enter the following command:

    nessuscli security niapconvert

    Tenable Nessus converts encrypted databases to XTS-AES-128 format.