Why Aren't Any NAC vendors CIS Certified or speaking XCCDF?

I was asked this question by a customer of ours at the recent NIST SCAP conference and I'm loosely paraphrasing: 

"We use Nessus and the Security Center to audit 1000s of workstations and laptops for compliance against CIS and eventually NIST SCAP policies. I'd like to be able to have a NAC enforce compliance against CIS policies and the new FDCC policy, but haven't found any to accomplish this yet. Do you know of any?"

Quick Background

If you are not a regular reader of this blog, CIS is the Center for Internet Security. They work with a community of vendors and users to build a consensus of best practices for securing operating systems such as Windows 2003. Vendors who want to audit against CIS best practices can become certified by having their results evaluated through an accreditation process.

Also, SCAP stands for the 'Secure Content Automation Program'. It is a NIST program that produces configuration audit templates in the XCCDF format. XCCDF is a content specification which can be consumed by many different vendors (including Tenable) to perform configuration audits of operating systems such as Windows 2003.

If you visit the CIS or NIST SCAP web sites, you will see a plethora of operating system vendors, patch management vendors, configuration management vendors and auditing companies (like Tenable). However, you will not see typical NAC vendors listed as supporting these standards, or even declaring their intention to support them.

Why is this?

I feel the largest reason NAC vendors have not gone down this road is that consumers have not begun to ask them for these features. Most of the evaluations and reviews of NAC products tend to focus on how easy it is to keep users without passwords or patches off the network.

The technology exists in most NAC products to perform the types of checks required by these audits, but the content has not been produced by the NAC vendors to make this easy for their customers.

A secondary reason is that organizations who have deployed NAC to perform basic authentication and patch auditing and have found it too intrusive won't tolerate a deeper audit of their systems -- especially if it impacts operations.

Why should you care?

NAC solutions that can enforce compliance with corporate configuration standards as well as government and certified best-practice configurations will ultimately reduce variance, reduce the cost of operating the network and keep it secure.

Tenable is not a NAC vendor. However, we do want to see our customers migrate from networks and systems that are un-patched and randomly configured towards systems that are hardened and monitored for anomalies and access control violations. This is the basis of our unified security monitoring strategy.

As standards like XCCDF develop, they create an opportunity for audit vendors, configuration managers and NAC vendors to all enforce the same corporate standards. There is great value and flexibility in being able to access how well a network meets a configuration standard with a solution such as Tenable's, and then at a later date enforce this with a NAC solution.

Next Steps

If you are interested in managing your network towards government or CIS standards, you should start out by assessing any gaps between your current configurations and the standards themselves. You can perform these types of audits with little impact with Nessus and the Direct Feed subscription. Larger organizations who audit against these policies should consider the Security Center.

You should also contact your NAC vendor and tell their sales staff, CTO and marketing people your desires. Nothing speaks louder to a vendor than customers saying they have a need that their solution can meet.

And lastly, if this type of configuration management is new to your organization, IT group or management, you should become as familiar as possible with concepts such as ITIL, Visible Ops and IT Controls. Tenable also offers the "Real Time Compliance Paper" which discusses how configuration auditing, vulnerability management, log analysis and anomaly detection can be jointly used to monitor organizations for PCI, FISMA and many other types of compliance requirements. This paper is available by contacting Tenable.