Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

U.S. Government Solutions

 

Continuous visibility, critical contextual analysis and actionable insights to protect federal networks, information, and infrastructure

US government

Government agencies face escalating pressure to maintain constant vigilance against persistent cyber threats and attacks. Federal system integrators and other commercial partners that do business with U.S. government defense, intelligence and civilian agencies must establish robust information security defenses and continuously demonstrate compliance with evolving regulations and standards.

With a deep history of working with government agencies at every level, Tenable has become a primary technology in major federal cyber programs such as ACAS and CDM.  Tenable serves government agencies' specialized cybersecurity needs to protect their complex networks against ongoing threats, ensuring systems and technologies are in place to:

  • Continuously monitor on-prem, cloud, mobile and virtual data assets for real-time visibility
  • Proactively protect sensitive data and critical infrastructure from cyber threats
  • Extract actionable data and intelligence for expedited incident response and mitigation
  • Consistently demonstrate real-time compliance with regulatory standards and operational frameworks including NIST, RMF, SAP (Special Access Programs), DFARS, SCAP, CIS and SCADA
  • Integrate with other leading security solutions

Agile Lifecycle Security Management

What You Don't Know Will Hurt You

Tenable has a transformational and unified approach to cybersecurity that embeds risk management into public sector daily operations. Agencies and system integrators gain full visibility into computing assets across the infrastructure, enabling real-time identification of vulnerabilities, elimination of blind spots, automated assessment of the security health of systems and devices, and effective mitigation of risk exposure. Defenses are optimized and security posture is enhanced.

Vulnerability Management

On-prem, cloud and hybrid solutions for federal agency environments

  • Analysis and assessment of all assets to identify and prioritize vulnerabilities, misconfigurations and other exploitable weaknesses
  • Assurance that security controls are configured and operating properly, and that security and compliance posture is aligned with agency goals and objectives

Tenable Solutions for Vulnerability Management

Security Center CV logo
  • Unparalleled scanning by Nessus—the world’s most widely deployed vulnerability scanner, providing comprehensive visibility into vulnerabilities and misconfigurations across federal IT infrastructure
  • Maximum asset coverage through complementary products such as Nessus Network Monitor for passive monitoring of OT assets, including ICS and SCADA systems, Nessus Agents for transient mobile devices and virtual connections, and Log Correlation Engine for comprehensive continuous monitoring
  • Intelligent connectors to third-party systems and threat intelligence to identify advanced malware and improve contextual analysis, enabling protection of what matters most
  • Customizable out-of-the-box reports, Assurance Report Cards (ARCs), interactive dashboards, workflows and security

Learn More Request a Demo

DISA selection of SecurityCenter as the foundation of its ACAS program cements Tenable as the undisputed leader in vulnerability management in the U.S. Federal Government.
Tenable.io logo
  • First vulnerability management platform to unify security across IT, cloud and safety-critical infrastructure OT assets, including Industrial Control Systems (ICS) and SCADA, for coverage across the elastic attack surface
  • State-of-the-art vulnerability management platform for tracking and protecting dynamic assets like cloud, containers, mobile devices and web applications
  • Broad discovery and coverage of expanding asset landscape, including previously unknown and shadow assets across IT and OT systems
  • Tracking of fluid assets moving in and out of a network – via a combination of active scanners, agents and passive network monitoring – to maximize coverage
  • Centralized location for all vulnerability data, enabling system integrators partnering with federal agencies to embrace IT modernization, cloud technologies, DevOps and more
  • Robust and well-documented API and integrated SDK for automated sharing of platform capabilities and vulnerability data
  • 360-degree visibility of all resources with unmatched accuracy

Try Now

Tenable.io Vulnerability Management: “Well worth your time. This is a company with solid experience in the technology — and it shows.”
-SC Magazine

Continuous Monitoring

Ongoing awareness of information security vulnerabilities and threats to support public sector risk management decisions

  • Dynamic end-to-end visibility of security status across federal IT networks, systems, physical and virtual infrastructure, and cloud and mobile environments
  • Proactive and timely detection of assets and vulnerabilities
  • Ability to clearly communicate security status and prove compliance conformance to stakeholders
  • Continuous improvement of security posture of federal government infrastructure
Continuous monitoring isn't just continuous scanning. It includes real-time network and host activity monitoring to provide additional context.
-IDC Technology Spotlight

Tenable Solutions for Continuous Monitoring

Security Center CV logo
  • Unified view of all computing assets, enabling faster identification and remediation of vulnerabilities
  • Unparalleled scanning by Nessus—the world’s most widely deployed vulnerability scanner, providing comprehensive visibility into vulnerabilities and misconfigurations across federal IT infrastructure
  • Maximum asset coverage through complementary products such as Nessus Network Monitor for passive monitoring of OT assets including ICS and SCADA systems, Nessus Agents for transient mobile devices and virtual connections, and Log Correlation Engine for comprehensive continuous monitoring
  • Analysis and assessment of all assets to identify and prioritize vulnerabilities, misconfigurations and other exploitable weaknesses
  • Assurance that security controls are configured and operating properly, and security and compliance posture is aligned with agency goals and objectives
  • Intelligent connectors to third-party systems and threat intelligence to identify advanced malware and improve contextual analysis, enabling protection of what matters most
  • Unified security data that drives action to limit the scope of potential compromise
  • Customizable out-of-the-box reports, Assurance Report Cards (ARCs), interactive dashboards, workflows and security and compliance policies to meet agency requirements

Learn More Request a Demo

Container Security

Comprehensive visibility into the security of container images as they are developed, enabling vulnerability assessment, malware detection, policy enforcement and remediation prior to deployment, without slowing innovation cycles

Tenable Solutions for Container Security

Tenable.io logo

The only vulnerability management solution to offer integrated container security capabilities brings security into the build process, incorporating risk management early in the development cycle.

  • Discovery and remediation of vulnerabilities and policy violations in container images prior to production
  • Seamless and secure enablement of DevOps processes
  • Support for verifying that every container reaching production is secure and compliant
  • Indication of severity of discovered vulnerabilities

Try Now

Tenable is recognized as the only vendor that provides 100% of the seven essential features of vulnerability management solutions, including containers.
-Vendor Landscape: Vulnerability Management, 2017 (Forrester)

Web Application Scanning

Safe, automated and accurate scanning of web applications for deep visibility into critical vulnerabilities

Tenable Solution for Web App Scanning

Tenable.io logo
  • High detection rates with minimal false negatives and positives, for comprehensive understanding of risk in web apps
  • Intuitive dashboard for assessment and prioritized remediation based on vulnerability severity
  • No performance latency or disruption
  • Coverage of HTML5 and AJAX web apps

Try Now

Streamlined Compliance

Navigating the Changing Requirements Landscape

Tenable helps government agencies, federal system integrators, and other commercial service providers implement and assess the security controls required to do business with federal agencies. Find out how to leverage best-practice security frameworks and guidance to effectively protect critical systems and data.

Is your company a private sector entity working in the government ecosystem? Learn more about NIST SP 800-171. Is continuous monitoring your primary focus? Get the lowdown on SP 800-137. Need ATO? Find out how to operationalize the Risk Management Framework.

NIST (RMF, SP 800 Series, and SCAP)

National Institute of Standards and Technology (NIST)

RMF Risk Management Framework (RMF)

A fundamental approach for meeting multiple compliance requirements

  • Disciplined and structured process that integrates information security and risk management activities into the development life cycle
  • Risk-based approach to cybersecurity to enable ongoing assessment of security status and continuous response to threats
  • Federal system integrators must demonstrate operationalization of the RMF process in order to obtain Authorization to Operate within the federal government environment.
Six Steps NIST 800 Alignment
1. Categorize Information Systems (800-60)
2. Select Security Controls (800-53)
3. Implement Security Controls (800-160)
4. Assess Security Controls (800-53A)
5. Authorize Information Systems (800-37)
6. Monitor Security Controls (800-137)

SP 800 Series

SP 800-37

Guide for Applying the Risk Management Framework to Federal Information Systems: a Security Life Cycle Approach

Describes transformation of federal government Certification and Accreditation process into Risk Management Framework

Rev 1: June 2014

SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations

Foundational computer security guide for government comprised of 18 control families that can be used to comply with public and private sector policies and regulations

Rev 4: January 2015

SP 53-A Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans

How and when to build assurance cases, and how to make standards repeatable

Rev 4: December 2014

SP 800-137

Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations

Ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions

September 2011

SP 800-144

Guidelines on Security and Privacy in Public Cloud Computing

Overview of security and privacy challenges in cloud computing and recommendations for outsourcing data, apps, and infrastructure to a public cloud

December 2011

SP 800-145

NIST Definition of Cloud Computing

Five essential characteristics, three service models, and four deployment models intended for broad comparisons of services and strategies

September 2011

SP 800-171

Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations

Recommended requirements for federal agencies to protect the confidentiality of Controlled Unclassified Information (CUI) and DoD Covered Defense Information when it is processed, stored, or transmitted by nonfederal organizations (contractors, subcontractors, and service providers)

Encompasses 14 CUI security requirements

Department of Defense Contractors holding sensitive government information in IT systems must comply with 800-171 by the end of 2017.

Rev. 1: December 2016

SP 800-180

Definition of Microservices, Application Containers, and System Virtual Machines

Standard definitions and explanation of similarities and differences between these and related terms

February 2016 (Draft)

SP 800-190 

Application Container Security Guide

Security benefits and concerns associated with container technologies, plus practical recommendations for addressing concerns when planning, implementing, and maintaining containers

April 2017 (Draft)

Security Content Automation Protocol (SCAP)

An open security standards-based methodology encompassing 46 requirements that federal agencies can use to compare and evaluate the effectiveness and compliance conformance of competitive vulnerability management and configuration auditing solutions

CIS CSC

Center for Internet Security Critical Security Controls (CIS CSC)

Five components for effective cyber defense designed to help the federal sector prioritize resources and consolidate efforts:

  • Offense Informs Defense: Use controls proven to stop real-world attacks.
  • Prioritization: Invest in controls for greatest risk reduction and protection against the most dangerous threats.
  • Metrics: Establish shared language for stakeholders to measure effectiveness of security measures.
  • Continuous Monitoring: Test and validate effectiveness of current security measures.
  • Automation: Automate defenses for reliable, scalable, and continuous measurement of adherence to controls.

JSIG

Joint Special Access Program Implementation Guide (JSIG)

Special Access Programs (SAP) represent some of the DoD’s most sensitive information and therefore must be protected accordingly. JSIG provides standardized cybersecurity policy, procedures, and implementation guidance for network and system management. JSIG serves as a technical supplement to SP 800-53.

DFARS

Defense Federal Acquisition Regulations Supplement (DFARS)

Aligned with SP 800-171, DFARS is designed to govern all aspects of data protection in unclassified environments, including safeguarding contractor information systems. Companies currently engaged in government contracts or interested in bidding on new contracts must adhere to these requirements by the end of 2017. Solution requirements include self-reporting capabilities, organizational process framework for secure operations, single-pane-of-glass vulnerability management, role-based access control, ubiquitous data source interface, situational awareness, scalability, and customization.

SCADA

Supervisory Control and Data Acquisition (SCADA)

Family of protocols used to monitor and manage critical infrastructure. Accessibility and system integrity supersede data security in the relatively static SCADA environment. Few security tools are designed to work with SCADA systems, creating a gap that can leave these networks vulnerable to compromise and regulatory action. Protect Operational Technology (OT) and Industrial Control Systems (ICS) that are connected to SCADA.

Tenable Solutions for Automated Compliance

SecurityCenter Continuous View

Security Center CV logo

Visualize, measure, and communicate security status and adherence to multiple compliance regulations (SP 800 Series, CIS CSC, SCAP, JSIG, DFARS, SCADA) via single pane of glass

  • Automates data gathering and analysis, asset configuration auditing, and continuous assessment of security controls to simultaneously comply with multiple regulations, eliminating redundancies and increasing efficiency
  • Collects data from multiple sensors for ongoing detection and analysis of network vulnerabilities
  • Compares current security status to desired state and identifies gaps, providing actionable intelligence to build a roadmap for demonstrating compliance
  • Delivers out-of-the-box customizable dashboards and Assurance Report Cards (ARCs) that help demonstrate precise alignment with security frameworks and technical control regulations
  • Employs active (periodic) scanning, agent scanning, and passive, non-disruptive monitoring for comprehensive and continuous visibility of compliance conformance across IT and OT (operational technology) systems, including SCADA and industrial control systems (ICS) – in on-prem, virtual, cloud, and mobile environments
  • Relies on intelligent connectors to existing security infrastructure to analyze traffic, devices, applications/services, and communications across all environments to identify weaknesses and prioritize exposure
  • Leverages Nessus Network Monitor to passively analyze network traffic and provide continuous visibility into managed and unmanaged assets, including IT and OT systems. Nessus Network Monitor features:
    • A high-performance SCADA analysis module that enables broad visibility of assets and network traffic based on Department of Energy recommendations, while avoiding potential disruption associated with traditional active scanning of safety-critical SCADA networks
    • Operation without disruption while protecting data and complying with regulations that apply to OT, SCADA, and ICS networks
  • Provides situational awareness to SAP information systems to facilitate consistent adherence with JSIG
  • DDirectly maps to CIS CSC via automated scanning and continuous monitoring of vulnerabilities and configurations
  • Performs SCAP 1.2 certified assessments

Learn More Request a Demo

Technology Alliances

Partnering to Develop and Deliver Expanded Security Technology

Integration Briefs

Leverage your existing investments via the Tenable Technology Integration Partner Program:

Secure Innovations

Tenable has partnered with Secure Innovations, a cybersecurity firm that provides top-tier solutions for the defense and intelligence communities, to develop ASSESS (Automated Scalable Solution for Enterprise System Security), designed to help organizations operationalize the Risk Management Framework and expedite the Authority to Operate process.

Learn More

Government Programs

Tenable is the vulnerability management provider of choice for the US Department of Defense, powering the Defense Information System Agency’s (DISA) Assured Compliance Assessment Solution (ACAS). Tenable and DXC Technology established an exclusive partnership to deliver an integrated software solution to meet the vulnerability, configuration, and real-time risk management requirements of one of the largest, most demanding government organizations in the world. Tenable technology also supports the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) program.

Assured Compliance Assessment Solution (ACAS)

Assured Compliance Assessment Solution (ACAS)

With ACAS and Tenable, you’re deploying a strategic IT security platform that enables you to anticipate, prioritize, and neutralize threats, nonstop. Learn more.

Tenable Solutions for ACAS

Security Center CV logo

Enterprise-Class, On-Prem Vulnerability Management

  • Comprehensive view of deployed assets and potential weaknesses in the IT environment
  • Innovative vulnerability management and configuration compliance solution with flexible cost structure that can be quickly deployed across DoD infrastructure
  • Fast and accurate network security assessment to increase accuracy of risk assessment and verify compliance with regulatory requirements
  • Continuous monitoring that provides essential situational awareness and enables risk-based management decisions consistent with federal guidelines
  • Scalable flexible architecture featuring both local and centralized control, analysis, and reporting based on mission requirements

Learn More Request a Demo

Continuous Diagnostics and Mitigation (CDM)

Continuous Diagnostics and Mitigation (CDM)

The DHS CDM program helps agencies and system integrators ensure that proper cybersecurity controls are in place, and identify and address cybersecurity risks in networks before they lead to breaches. The federal government has shifted from periodic assessment of security controls to continuous monitoring of all assets to ensure regulatory compliance and a strong defense against an increasingly hostile threat landscape. NIST requires all federal agencies to implement CDM programs.

Tenable Solutions for CDM

Security Center CV logo

Real-Time Visibility and Critical Context

  • Detects vulnerabilities, misconfigurations, and malware, and performs advanced analytics
  • Provides comprehensive visibility across the network with passive monitoring
  • Supports compliance with frameworks such as NIST (RMF, SP 800 Series, and SCAP), CIS Critical Security Controls (CSC), JSIG, and DFARS
  • Provides Assurance Report Cards (ARCs) that help you measure, analyze, visualize, and communicate your security posture to colleagues

Learn More Request a Demo


Interested in solutions that can help you deliver ACAS and CDM? Contact Tenable at +1.410.872.0555.

Defense POW/MIA Accounting Agency (DPAA)

The foundation of DPAA's ACAS solution is comprised of the Tenable SecurityCenter® platform integrated with Nessus® Network Monitor and Nessus®, the most widely deployed vulnerability and compliance scanner in the world. In addition to ACAS, DPAA also deployed Nessus on its classified networks.

Read the Case Study