Government agencies choose ForeScout for Visibility, Control and Automation

ForeScout CounterACT is a powerful, plug-and-play and agentless network visibility and control automation solution that is ideally suited to help Federal agencies control network access, protect sensitive data, and comply with Defense standards, guidelines and best practices.

ForeScout CounterACT addresses the advanced network security requirements that many U.S. and global government agencies as well as regional municipalities require, including:

  1. Port Authentication. The requirement for port authentication is contained in the Security Technical Implementation Guide (STIG) that is published by the United States Defense Information Systems Agency (DISA). This document states that DoD networks must control access at the switch port leveraging protocols such as 802.1X.
  2. IAVA Compliance. The United States DoD must comply with Information Assurance Vulnerability Alerts (IAVA) that are identified by the DoD-CERT, a division of the US Cyber Command.
  3. Rogue Devices and Applications. Many defense organizations have restrictions against the use of USB memory sticks and peer-to-peer (P2P) applications.
  4. Continuous Monitoring. The Federal Information Security Management Act (FISMA) of 2002, OMB policy, and the implementing standards and guidelines developed by NIST require a continuous monitoring approach. Continuous monitoring is a systematic approach to determine if the deployed security controls within an organization are effective over time in light of the inevitable changes that occur.

Wallace Sann, ForeScout Federal CTO, speaking at a AFCEA Cybersecurity Symposium.

ForeScout CounterACT’s military-grade security protects many of the network infrastructures of the DoD, its military contractors and suppliers. In 2011, ForeScout achieved the industry’s highest level of security certification for a Network Access Control (NAC) solution involving assurances from the EAL 4+ level. ForeScout CounterACT is also included in the DISA UC APL demonstrating that CounterACT met the government’s high standards for security, ease of use and deployment, low end-user impact, and interoperability with existing remediation solutions and infrastructure agnostic requirements.

Much of ForeScout’s success is based on CounterACT’s ability to see every IP device connected to the network, control connections down to the point of entry, and provide policies to enable and enforce security processes and standards. Enforcement actions can range from VLAN assignments with or without 802.1X first being deployed, port-based ACL and/or a virtual firewall.

A leader in Gartner’s Magic Quadrant for Network Access Control for the past four years, ForeScout CounterACT‘s policy-based security platform for endpoint compliance automation can help Government IT organizations to create, monitor and enforce endpoint security policies in accordance with DISA STIGs and CJCSI directives. ForeScout CounterACT helps streamline and automate processes at every phase of the endpoint compliance lifecycle enabling IT organizations to satisfy CCRI audit requirements, or other audits, and achieve a level of continuous compliance with minimal effort. CounterACT also helps organizations comply with internal government regulations such as FISMA and NERC. Our integrated approach to dynamic monitoring and mitigation enables government authorities and local agencies/councils to expedite compliance to connect to public service networks, which require security assurance that the use of unmanaged endpoints, including the use of personal devices, to access the PSN or PSN services is not permitted.

ForeScout effectively addresses the unique network security challenges that government agencies face, including:

  • Size. Large numbers of devices, spread over wide geographies.
  • Dynamic. Government agencies often need to connect their networks to other public and private networks that are not trusted.
  • Heterogeneity. Because of government bidding requirements, government networks are typically comprised of equipment from multiple vendors.
  • Shared resources. Government agencies will often share their office space with other agencies and non-governmental entities. Physical control of the environment might not be possible.
  • Heightened need for security. State secrets and other highly confidential information must be protected.

Government agencies must look for opportunities to drive down costs and improve security wherever possible. Many government agencies in Federal and supporting contractors use ForeScout CounterACT to accelerate “connect to comply” strategies, strengthen security enforcement, and prove regulatory compliance. ForeScout CounterACT delivers real-time visibility and control of devices on the network. CounterACT, a Common Criteria EAL 4+ solution, provides network access control, endpoint compliance, and threat control, in one automated system.


ForeScout Wins 2013 GOVTek Executive Government Technology Award for Best Mobility Solution
ForeScout Wins 2013 GOVTek Executive Government Technology Award for Best Mobility Solution

“Government Technology Research Alliance (GTRA) has recognized ForeScout as a security leader supporting enterprise mobility management within the government community…’We welcome the opportunity to assist them by providing visibility of the devices attempting to access network resources and sensitive data, and to enforce policy and enable control of personal and mobile devices.’”



ForeScout Wins Homeland Security Award from Government Security News

“ForeScout helps government agencies at the federal, state and municipal level meet the numerous access control and continuous endpoint compliance requirements with an agentless, easy to deploy and scalable solution. To be recognized as a security leader among the government community is truly an honor. As the federal government embarks on its continuous mitigation and diagnostics efforts, we welcome agencies’ commitments to ForeScout for help in meeting advance port control requisites, real-time asset management, and endpoint compliance objectives, ” said Niels Jensen, vice president of federal sales at ForeScout.“
Click here for more information.


ForeScout CounterACT is a continuous monitoring security control platform that delivers real-time visibility and control of devices on your network. CounterACT delivers:

  • Port-level access control. ForeScout CounterACT helps organizations meet the access control requirements as detailed in the DISA STIG.
  • Network policy compliance. In addition to the simple port-level access control requirements mandated by the DISA STIG, ForeScout CounterACT includes many advanced network visibility and policy enforcement features.
  • IAVA compliance. ForeScout CounterACT integrates with products from Beyond Trust (eEye Retina) or Tenable Nessus to deliver a combined vulnerability assessment (VA) and network access control (NAC) solution which automates the process of ensuring that devices on the network are in compliance with IAVA standards.
  • Control unauthorized USB devices and applications. ForeScout CounterACT blocks unauthorized USB devices and applications (e.g. P2P) from computers on the network.
  • Integration with McAfee ePolicy Orchestrator (ePO™). ForeScout CounterACT integrates bi-directionally with McAfee ePO. Specifically, ForeScout CounterACT provides ePO with real-time information about computers on the network, including many parameters (such as the location of computers) that is otherwise unavailable to ePO. This additional information gives security managers a higher degree of Situational Awareness and a greater degree of control over managed endpoints (those within the scope of McAfee ePO).
  • ControlFabric Integration. The information generated by ForeScout CounterACT can be exported to your existing GRC or reporting systems. Integrations are available for most leading SIEM systems, and end-users can build custom integrations with the Open Integration Module.
  • Scalability. ForeScout CounterACT has more large deployments than any other network access control solution. Our product has been proven in organizations with upwards to 1 million endpoints that manage their network from a single centralized ForeScout CounterACT enterprise manager console.
  • Compatibility. ForeScout CounterACT is an out-of-band, network-based appliance that works with your existing network infrastructure – no switch upgrades, no network reconfigurations. CounterACT integrates with major enterprise switches, both 802.1x and non-802.1x.
  • Achievements. ForeScout CounterACT has achieved the following certifications and compliances:
    • FIPS 140-2
    • Common Criteria Evaluation certification EAL4+
    • USMC ATO
    • US Army CoN (Certificate of Networthiness)
  • Contract Vehicles. ForeScout CounterACT is listed in several government contracts to ease procurement:
    • GSA Schedules (also referred to as Multiple Award Schedules and Federal Supply Schedules)
    • NASA SEWP (Solutions for Enterprise-Wide Procurement) GWAC (Government-Wide Acquisition Contract)
    • ITES/2H (Managed and used by US Army. Also used by DoD and other federal agencies)
    • Encore II (Managed by DISA, Defense Information Systems Agency)


With ForeScout CounterACT, government agencies achieve the following benefits:

Strong Security
  • Comply with requirements and mandates, such as DISA STIG, FISMA, etc.
  • Ensure that unauthorized users are not on your network. Visibility across the enterprise.
  • Reduce risk of data loss by ensuring that encryption, whitelisting and DLP agents are running, users are not running unauthorized applications or peripheral devices (e.g. USB memory sticks).
  • Reduce risk of infection by ensuring that antivirus is properly updated and vulnerabilities are patched.
  • Block rogue and unauthorized personal devices such as smartphones, tablets, or embrace mobile security with an effective tiered approach to BYOD.
  • Identify rogue network infrastructure devices such as wiring hubs, wireless access points, and DHCP servers. Often these unauthorized devices are the source of network instability and outages.
Reduce Costs
  • Large organizations have reported savings of up to $1 million per year with ForeScout CounterACT.
  • Avoid penalties of lost data. A secure network, with secure endpoints, is less likely to lose data. Avoid fines and the devastating costs of data loss.
Save Time
  • Real-time information improves situational awareness and lets you take action while the problem still exists.
  • Integration with other security systems, including SIEM (Arcsight, Q1, McAfee ESM etc), anti-virus, and MDM vendors such as McAfee, MobileIron, MaaS360, etc.
  • Avoid time-consuming drills to repair infected workstations.
Break down information silos
  • Through ForeScout’s ControlFabric architecture, customers can achieve continuous monitoring and mitigation capabilities that better leverage their infrastructure investments and optimize IT resources.
Avoid Disruption
  • Unlike simplistic products that disrupt users with heavy-handed security controls, ForeScout CounterACT offers a full spectrum of enforcement actions ranging from gentle (notifications) to assertive (update software or kill processes). The range of enforcement actions helps you be more successful by working with users, not against them.
Improve Network Stability
  • Clientless approach identifies rogue network infrastructure such as wiring hubs, wireless access points, DHCP servers and mobile devices. Often these unauthorized devices are the source of network instability and outages.
Painless Deployment
  • ForeScout CounterACT is the fastest, easiest way to gain strong access control, regardless of whether you are planning to utilize 802.1x for authentication and port control.
  • ForeScout CounterACT is a simple appliance that installs out-of-band on your network. It requires no software installation. Installation can be done in one afternoon, full operation including policy enforcement in a matter of days.
Security Assurance
  • With EAL4+, government agencies can be assured that the specification, implementation and effectiveness of CounterACT for Network Access Control have been evaluated in a rigorous and standardized manner to meet their security and compliance needs.

Product Tours

Product Demonstrations

Port Security

ForeScout CounterACT provides port-based network access control–with or without 802.1x.

Product Screenshots

Click image to enlarge.

Windows PC inventory with missing updates

ForeScout CounterACT shows you in realtime which PCs on your network contain vulnerabilities.

Virtual Client-unauthorized changes

ForeScout CounterACT can identify unauthorized changes to PC configurations or software.

Unauthorized processes

ForeScout CounterACT shows you which PCs are running unauthorized processes.

Unapproved Network WiFi device

ForeScout CounterACT identifies rogue WiFi devices.

Kill peer-to-peer user experience

ForeScout CounterACT lets you kill unauthorized software, keeping endpoint systems in compliance with your security policies.

Global Overview

ForeScout CounterACT includes a built-in map that shows compliance statistics by site.

Site Visibility

From the map, you can drill down to see host information by site.

802.1X Policy Wizard

ForeScout CounterACT policy wizard makes it easy to control network access using 802.1X.

Mobile Security

By integrating with an MDM system, or using ForeScout Mobile, you can easily detect jailbroken or rooted smartphones and apply appropriate network access policies.




Analyst Reports

Solution Briefs

White Papers

Technical Notes

Webinars and Webcasts



Blogs and Articles

Press Release

Success Stories