Nessus is a security scanner utilized by Safeguards to conduct automated compliance scanning against information systems that receive, process, store, and/or transmit Federal Tax Information (FTI) during on-site reviews. It is a tool that delivers enhanced information regarding the security controls in place to protect FTI. Nessus scans are non-intrusive and have no impact on the agency’s network. Safeguards compliance baselines are tailored for Publication 1075 requirements. It is a requirement that Nessus scans use the Safeguards compliance baselines.
Running and/or obtaining Nessus compliance scan results is currently required for the onsite assessment of vendor-supported Windows and UNIX operating systems, Oracle and SQL Server database management systems, Apache and IIS web servers, Cisco ASA and IOS software and VMware ESXi hypervisors. Additional technologies and platforms will be added as part of quarterly methodology updates based on available CIS benchmarks. Please see the current listing of Nessus Audit Files for the most current files.
Scans are required for all locations receiving, storing, accessing and/or processing FTI. This includes, but is not limited to: agency data centers, consolidated data centers, third party vendors and county or field offices.
For those who were unable to attend the Safeguards Office Hours call we have provided links to documents associated with the call.
- Nessus Compliance Scanning Office Hours Call Agenda (PDF)
A brief overview of what was discussed on the call.
- Nessus Compliance Scanning Office Hours Call Script (PDF)
The speaker’s notes, which were requested by those on the call.
- Nessus Compliance Scanning Office Hours Call Notes – Q/A (PDF)
Question and Answer portions of each call.
- Nessus Compliance Scanning Common Issues (PDF)
A list of items we have encountered prior to and during Safeguards reviews.