Configure Tenable Security Center for NIAP Compliance

If your organization requires that your instance of Tenable Security Center meets National Information Assurance Partnership (NIAP) standards, you can configure relevant settings to be compliant with NIAP standards.

You must run Tenable Security Center 5.15.0 or later to fully configure Tenable Security Center for NIAP compliance. If you are running Tenable Security Center 5.15.0, you must install a patch to configure Tenable Security Center for NIAP compliance. Contact Tenable Support for assistance with the required patch. For more information about upgrading Tenable Security Center, see Before You Upgrade and Upgrade Tenable Security Center.

For more information about Tenable Security Center storage and communications encryption, see Encryption Strength.

Before you begin:

  • If you are running Tenable Security Center 5.15.0, contact Tenable Support for assistance with the required patch.

  • If you are using SSL certificates to log in to Tenable Security Center, ensure your server and client certificates are NIAP-compliant. For more information about certificate authentication, see Certificate Authentication.

  • Confirm you have enabled the full disk encryption capabilities provided by the operating system on the host running Tenable Security Center.

To configure Tenable Security Center for NIAP compliance:

  1. Log in to Tenable Security Center via the command line interface (CLI).

  2. In the CLI in Tenable Security Center, as the root or tns user, run the following commands to configure strong SSL/TLS encryption for Tenable Security Center communications:

    # /opt/sc/support/bin/sqlite3 /opt/sc/application.db "INSERT INTO Configuration ( type,name,value,visible,editable ) VALUES ( 64, 'SSLVersion', 'TLSv1_2', 'false', 'false' )"

    # /opt/sc/support/bin/sqlite3 /opt/sc/application.db "INSERT INTO Configuration ( type,name,value,visible,editable ) VALUES ( 64, 'SSLCipherList', 'ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384', 'false', 'false' )"

  3. Configure the Tenable Security Center web server to use strong encryption for storage and communications, as described in Configure SSL/TLS Strong Encryption.

    Note: For NIAP compliance, you must configure TLS 1.2 encryption with any of the following ciphers: ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-SHA384, or ECDHE-RSA-AES256-GCM-SHA384.

  4. If you connect Tenable Security Center to Tenable Nessus, Tenable Nessus Manager, Tenable Nessus Network Monitor, or Tenable Log Correlation Engine, you must use certificates to authenticate the connection. For more information, see Manual Tenable Nessus SSL Certificate Exchange and Manual Log Correlation Engine Key Exchange.