Configure Tenable Network Monitor for NIAP Compliance

If your organization requires that your instance of Tenable Network Monitor meets National Information Assurance Partnership (NIAP) standards, you can configure Tenable Network Monitor so that relevant settings are compliant with NIAP standards.

Before you begin:

• Ensure you are running Tenable Network Monitor version 6.2.0 or later.

• If you are using SSL certificates to log in to Tenable Network Monitor, ensure your server and client certificates are NIAP compliant.

• To force all passwords to use NIAP-compliant hashing, the administrator must force resets on all passwords.

• Confirm you have enabled the full disk encryption capabilities provided by the operating system on the host where Tenable Network Monitor is installed.

Tenable Network Monitor 6.5.x supports OpenSSL 3.0.0 and later. Open SSL 3.0.x exhibits the following behaviors and limitations:

• OpenSSL 3.0.x is more strict with SSL Client Certificates than OpenSSL 1.1.1.

• SSL certificates that do not include the Authority Key Identification or Subject Key Identification sections are not valid in OpenSSL 3.0.7 and later.

• NIAP Mode in Tenable Network Monitor will not allow connections if the user's SSL client certificate does not have the required sections.

• If your SSL certificate includes OCSP servers in the Authority Information Access section, these OCSP servers will be used to verify your certificate. Those servers must have OCSP Signing enabled in the Extended Key Usage section.

• The Tenable Network Monitor User Interface does not allow the user to enable the NIAP option unless the SSL certificate provides the required sections.

To configure Tenable Network Monitor for NIAP compliance:

1. Log in to Tenable Network Monitor using one of the following methods:

   • Username and password.

   • SSL certificates, as described in Connect to Tenable Network Monitor with a User Certificate.

2. Set the Tenable Network Monitor web server to use TLS 1.2 communications:

   1. Click the button.

   2. Click Configuration.

      By default, the NNM Settings section appears.

   3. In the Setting Type drop-down menu, select NNM Web Server.

   4. Set Use TLS 1.2 to Enabled.

3. Enable NIAP mode:

• In the user interface:

  1. Click the button.

  2. Click Configuration.

     By default, the NNM Settings section appears.

  3. In the Setting Type drop-down menu, select Security Options.

  4. Set Enable FIPS Mode.

  5. Set Enable NIAP Mode.

• In the command line interface:

  1. Access Tenable Network Monitor from a command line interface.

  2. In the command line, enter the following command:

     nnm --config "Enable FIPS Mode" 1

     Linux example:

     /opt/nnm/bin/nnm --config "Enable FIPS Mode" 1

  3. In the command line, enter the following command:

     nnm --config "Enable NIAP Mode" 1

     Linux example:

     /opt/nnm/bin/nnm --config "Enable NIAP Mode" 1

• Tenable Network Monitor does the following:

  • Verifies that Tenable Network Monitor is using TLS 1.2.

  • Regardless of the Enable Strong Encryption setting, Tenable Network Monitor overrides the selected cipher suites with the following ciphers: ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384

    Note: When Tenable Network Monitor is in NIAP mode, Tenable Network Monitor overrides the cipher suites as long as Tenable Network Monitor remains in NIAP mode. If you disable NIAP mode, Tenable Network Monitor reverts to what you had set before.

  • Tenable Network Monitor uses strict certificate validation:

    • Disallows certificate chains if any intermediate certificate lacks the CA extension.

    • Authenticates a server certificate, using the signing CA certificate.

    • Authenticates a client certificate when using client certificate authentication for login.

    • OCSP servers with certificates that do not have OCSP Signing in the Extended Key Usage section are disallowed and the connection will be terminated, per the requirements specified by NIAP standards.

    • Checks the revocation status of a CA certificate using the Online Certificate Status Protocol (OCSP). If the response is that the certificate is revoked or has an unknown CA, then the certificate will be marked as invalid. If the OCSP server is down and there is no response, then the certificate will not be marked as invalid, and its use will be permitted if it is otherwise valid.

Database Encryption

You can convert encrypted databases from the default format (OFB-AES-128) to NIAP-compliant encryption (XTS-AES-256).

Tenable Network Monitor in NIAP mode can read databases with the default format (OFB-AES-128).

To convert encrypted databases to NIAP-compliant encryption:

1. Ensure NIAP mode is enabled, as described in the previous procedure.

2. Stop Tenable Network Monitor.

3. Monitor the files in /opt/nnm/var/nnm/db to ensure there are no .db_shm or .db_wal temporary files in the directory.

4. Enter the following command:

   nnm security niapconvert

   Tenable Network Monitor converts encrypted databases to XTS-AES-256 format.