On March 21st, Tenable announced that our products were officially under NIAP Common Criteria evaluation. Tenable is scheduled to complete the certification this year. This was good news to our United States DOD customers, but we also received a wide variety of feedback and comments which is the focus of this blog.
Common Criteria in the DOD
If you are not familiar with the concept of NIAP, the DOD can only officially acquire products that have gone through this sort of evaluation. In reality, organizations can get a waiver if they want to purchase something that has not been certified. Most organizations also wait until a product is officially "in evaluation" with NIAP before they attempt to acquire it.
The National Information Assurance Project (NIAP) is a U.S. Government initiative between the National Institute of Standards and Technology (NIST) and the National Security Agency. NIAP sponsors a variety of projects and activities, including the Common Criteria Evaluation and Validation Scheme (CCEVS). The Common Criteria is a standard for evaluation of security measures in a given product. Many government agencies require that products they deploy have been evaluated under the Common Criteria process.
Tenable has contracted SAIC to perform a Common Criteria (CC) Evaluation at Evaluation Assurance Level Two Augmented with Flaw Remediation (EAL2+) of the Tenable Security Center 3.2 product. The Target Of Evaluation (TOE) includes all the elements that comprise a full deployment of the Security Center suite: Nessus Vulnerability Scanner (Nessus), Log Correlation Engine (LCE) and the LCE Clients, Passive Vulnerability Scanner (PVS), and the 3D Tool (3DT).
We're not finished with NIAP by any means, but to get into evaluation means that our product architecture, documentation and even our internal processes at Tenable has been considered. In some cases, we had to add certain features into Security Center 3.2 or enhance our documentation specifically because of a NIAP requirement.
United States Based Sources for Plugin Downloads
We've participated in a few trade shows since our announcement and one type of feedback we consistently got from DOD attendees was:
It's great that your products are in certification, but I can't use Nessus because the downloads come from France.
This really surprised us, because there are a great number of ".mil" accounts used to register for Nessus. Although we don't publish Nessus download statistics, we never felt that the ".mil" community was under-represented. As it turns out, certain portions of the DOD block all access to international sites. In this case, plugins.nessus.org is hosted by an ISP based in France. This is the site that the "free" users of Nessus obtain their registered plugins from.
Our co-founder and Nessus author Renaud Deraison is from France. Because of this, you should expect that Tenable has been able to have great relationships with new customers and business partners there. In this case, we have site that supports all worldwide Nessus user plugin downloads.
Tenable has several places we conduct our hosting, mail delivery and product distribution. The main page that plugins are distributed to Direct Feed and Security Center customers is from our offices in Columbia, Maryland. If you need to obtain plugins directly from a United States sources, you can do this with a purchase of the Direct Feed or operate the Security Center.
For More Information
If you are interested in Tenable products, please feel free to contact us or visit our products pages. To review our evaluation status with NIAP, please visit: http://www.niap-ccevs.org/cc-scheme/in_evaluation.cfm