Since the Defense Information Systems Agency (DISA) began implementing its internal vulnerability management continuous monitoring security program – Assured Compliance Assessment Solution (ACAS) – officials who have worked closely with the solution have praised ACAS’s capabilities, from its continuous passive monitoring, to its dashboarding and prospects of scaling to the cloud.
DISA first issued ACAS’s program contract in 2012, but now that DISA has renewed the contract to maintain ACAS for another two years at the Department of Defense (DoD), the officials who have deployed and praised ACAS shared how DoD has reaped benefits from the program that it hasn’t seen before.
ACAS: The Background and Components
DISA awarded the ACAS contract to Perspecta – then HPES – in April 2012, and Tenable, Inc. has provided the software behind ACAS, which replaced Retina – the previous solution DoD used for its internal network security. Tenable’s software won out because it met DISA’s ACAS solution requirements for a fully integrated vulnerability assessment platform.
More specifically, Tenable’s solution provides continuous enterprise-wide visibility with both active and passive scanning by coupling two scanning applications. One is Nessus, which is not only compliant with Common Vulnerabilities and Exposures, but also DISA’s Security Technical Implementation Guidelines (STIGs).
The other application is the Nessus Network Monitor (NNM), previously named Passive Vulnerability Scanner (PVS), which monitors passive network traffic, new network hosts, and applications that are vulnerable to compromise. Supporting and controlling Nessus and NNM is Tenable.sc Continuous View, which collects scanner data and provides reports and a custom dashboard.
Launching ACAS: The Transition and Early Benefits
Industry professionals recently spoke about the steps they took in launching the solution, as well as the benefits they saw ACAS deliver to DoD.
NorthTide Solutions Architect Phillip Katzman has spent the last 10 years working with DoD and its cybersecurity mission, and he currently focuses on delivering ACAS services to the Army Intelligence Security Command (INSCOM). He said ACAS launched for mandatory use across the services in January 2014 after DoD spent two years designing, storyboarding, data analyzing, and testing operable capability. The benefits ACAS brought over the prior solution were clear, he said.
“Prior vulnerability management software solutions – they were not web-based, not data-based,” Katzman said. “You were running it from an application on a system that generates a file for you to look at. What the game changer was, especially with ACAS, is that they were able to take that and put it into a data-driven web application that’s accessible from anywhere at any time.”
Katzman added that the ACAS enterprise reporting and dashboard capability allowed DoD to customize how cybersecurity leadership could conduct scans and look at data sets, “slicing and dicing” them as requested. Kent Nemoto, ACAS System Administrator, who worked with Katzman in implementing ACAS at Army INSCOM, added that the customizable aspect of the dashboards makes the application flexible for users.
Nessus also proved to create less network “noise,” with minimal network impact in its scanning, which Katzman credits to the power of ACAS’s web-based capabilities.
“Previous solutions were really, really noisy on the network,” he said. “You could tell when accreditations or assessments were going on because of the sweeps on the network and it just made things unusable. … [Nessus’] integration, the ability to leverage it as a true modern web application. That’s the biggest differentiator.”
The Army realized these benefits early in the capability testing phase of ACAS. Katzman said that when his team was working on the NNM launch at the U.S. Indo-Pacific Command (USINDOPAYCOM), NNM detected that a cleared defense contractor was issuing new emails to new employees on an HTTP – not a secure HTTPS – website and as a result was typing passwords in the clear. NNM detected that problem, allowing Katzman’s team to order a fix from the contractor.
“There were probably plenty of contracts, things that they had that were confidential logging on in a coffee shop or something,” Katzman said. “There’s no doubt in my mind that they were actually compromised. But that tool, something that we had just implemented as a test, really came out and instantly showed us that. That’s something that [DoD] still utilizes today.”
Long-Lasting Benefits for DoD
DISA renewed Tenable’s software license under the ACAS contract in December 2018 based on the success of the technology in the first seven-year contract, according to Chris Cleary, now a vice president of business development and strategy at Leidos and formerly a Tenable business development director who worked with DISA leading up to the contract recompete.
Cleary said DISA does “all things security – administrative-wise” for DoD, and ACAS’s structure has made the administrative portion of DISA’s work much easier.
“Under the ACAS program guidelines, point-in-time scanning is performed once a month and does a scan to find vulnerabilities in the enterprise and provides context that will help the operator correct those vulnerabilities,” Cleary said. “It rinses and repeats. It’s deliberate in this aspect and therefore mechanical in its implementation and execution.”
“In addition to this baseline scanning and reporting, an added value of Tenable’s solution is that NNM provides passive, continuous monitoring that goes beyond the ACAS program requirements and provides constant vigilance,” he added.
The scheduled scans and automated reports simplify the jobs of administrators and engineers within DoD, Katzman added. Rather than responding to requests for different reports, being able to focus on high-value aspects of their mission has improved the quality of their work.
“The solution is now able to automate many of those functions and features and the risk dashboard, especially with the ARCs – the assurance report cards – which is a newer feature that [ACAS] is building out,” Katzman said. “When we should be focusing on the mission, and developing and designing a system, now we get to do that. The solution gives us a lot of time.”
Creating efficiency for the tech workforce goes hand-in-hand with cost-savings ACAS has yielded.
Automating and simplifying administrative features of DoD’s vulnerability and risk management process has reduced the need to hire contractors and freed up DoD personnel who had spent their time doing lower value work, Katzman said. And ACAS has broken down siloed scanning and administration with its enterprise-wide scope, which has created more flexibility in expanding operations without piling on costs, he added.
Beyond labor and cost savings, Katzman emphasized the technological benefits ACAS has brought to DoD.
“The solution’s reporting capability is a critical game changer, particularly because reports can be tailored to different needs,” Katzman said, adding that the real-time components of ACAS are impressive and vital for DoD’s vulnerability management mission.
“The benefit is continuous monitoring, and what we’re really able to see in near real time,” Katzman said. “Asset and inventory management is extremely difficult and being able to see a large majority of your assets at any one time is excellent. That’s why there’s so many different complementary tools – the passive aspect of it, if you want to see things that aren’t quite talking all the time. Point-in-time scans are great, but the asset needs to be online for you to see that.”
ACAS’s Path Forward With DoD to Cloud Scalability
Although Cleary, Katzman, Nemoto, and others at DoD have touted the success and benefits of ACAS thus far, they also spoke about the future capabilities of the solution at the department and how scaling to the cloud is the next big step for ACAS.
Cleary said that ACAS is currently designed as an on-premise application, so it’s installed and can exclusively run on computers on the premises of those using the solution. As DoD continues migrating its servers onto cloud platforms, the ACAS program will need to evolve from on-prem and scale up to provide cloud-level security and scanning services.
“Once you can deploy or leverage Tenable to the cloud, scalability goes through the roof,” Cleary said.
Scaling ACAS to the cloud will also drive efficiency and the speed of the solution’s capabilities, according to Katzman. He said that taking the on-prem Nessus scanner to the cloud is the next step he sees for Tenable and DoD.
“As everything moves into the cloud – becomes smaller, microservices, containerization – we will need to see some on-prem version of a vulnerability scanner, data analysis that can be done on the fly in the cloud,” he said. “The cloud scalability is almost instantaneous, and at a snap with your fingers, you can spin 200,000 to 500,000 virtual machines.”
As DoD prepares to soon issue its Joint Enterprise Defense Infrastructure (JEDI) cloud contract, Katzman said JEDI looks to break down the siloed nature of each military service’s servers and networks. Since DoD can deploy Tenable.sc under ACAS at various levels so that it can report to one or more security center instances, ACAS can enable DoD leadership to have a greater view into and control over the total enterprise-wide IT assets and vulnerabilities compliances of the department.
Katzman said JEDI and other enterprise-wide cloud solutions therefore work well together with ACAS – which provides the flexibility and enterprise-wide capabilities that DoD needs in its internal vulnerability network monitoring, making the future of cloud migration at DoD and ACAS’s growth one that easily flies on the same trajectory.