Configure Nessus for NIAP Compliance

If your organization requires that your instance of Nessus meets National Information Assurance Partnership (NIAP) standards, you can configure Nessus so that relevant settings are compliant with NIAP standards.

Before you begin:

  • Ensure you are running Nessus version 8.11.1.

  • If you are using SSL certificates to log in SSL certificates to log in to Nessus, ensure your server and client certificates are NIAP-compliant. You can either use your own certificates signed by a CA, or you can Create SSL Client Certificates for Login using Nessus.
  • Confirm you have enabled the full disk encryption capabilities provided by the operating system on the host where Nessus is installed.

To configure Nessus for NIAP compliance:

  1. Log in to your instance of Nessus.
  2. Enable NIAP mode using the command line interface:

    1. Access Nessus from a command line interface.
    2. In the command line, enter the following command:

      nessuscli fix --set niap_mode=enforcing

      Linux example:

      /opt/nessus/sbin/nessuscli fix --set niap_mode=enforcing

    Nessus does the following:

    Note: When Nessus is in NIAP mode, Nessus overrides the following settings as long as Nessus remains in NIAP mode. If you disable NIAP mode, Nessus reverts to what you had set before.

    • Overrides the SSL Mode (ssl_mode_preference) with the TLS 1.2 (niap) option.
    • Overrides the SSL Cipher List (ssl_cipher_list) setting with the NIAP Approved Ciphers (niap) setting, which sets the following ciphers: 
      • ECDHE-RSA-AES128-SHA256
      • ECDHE-RSA-AES128-GCM-SHA256
      • ECDHE-RSA-AES256-SHA384
      • ECDHE-RSA-AES256-GCM-SHA384
    • Uses strict certificate validation:
      • Disallows certificate chains if any intermediate certificate lacks the CA extension.
      • Authenticates a server certificate, using the signing CA certificate.
      • Authenticates a client certificate when using client certificate authentication for login.
      • Checks the revocation status of a CA certificate using the Online Certificate Status Protocol (OCSP). If the response is that the certificate is revoked, then the certificate will be marked as invalid. If there is no response, then the certificate will not be marked as invalid, and its use will be permitted if it is otherwise valid.
      • Ensure that the certificate has a valid, trusted CA that is in CA Certificates for and are already in in the plugins directory.

      • If you want to use a custom CA certificate that is not in, copy it to in the plugins directory.

Database Encryption

You can convert encrypted databases from the default format (OFB-128) to NIAP-compliant encryption (XTS-AES-128).

Nessus in NIAP mode can read databases with the default format (OFB-128).

To convert encrypted databases to NIAP-compliant encryption:

  1. Stop Nessus.
  2. Ensure NIAP mode is enabled, as described in the previous procedure.
  3. Enter the following command:

    nessuscli security niapconvert

    Nessus converts encrypted databases to XTS-AES-128 format.