Locate and Remove Prohibited Devices
Quickly identify prohibited devices such as Kaspersky, Huawei and ZTE that pose security risks.
Comply-to-Connect: The Basis for Cybersecurity
The cybersecurity challenges facing government agencies are more complex than ever and demand comprehensive solutions capable of securing networks, devices and data.
Federal government agencies, both civilian and military, need capabilities to manage cybersecurity risk and fulfill their mission to deliver security and services to the general public.
Enter Forescout. We offer unmatched agentless visibility, control and orchestration capabilities that scale to networks with tens of millions of endpoints. It’s no wonder the Forescout platform is the cybersecurity cornerstone in both the Continuous Diagnostics and Mitigation Program (managed by the Department of Homeland Security) and the Comply-to-Connect Program (managed by the Defense Information Systems Agency). Explore this site to learn why, then give us a call.
How Forescout Helps
Local, state and federal government agencies are prime targets for hackers, whether politically motivated, seeking information they can sell, or simply engaged in mischief. By providing secure network access for a wide range of devices and user populations, the Forescout platform helps government agencies protect their confidential data and support their compliance efforts with mandated policies and regulations such as FISMA, NERC, ISO/IEC 27001 and the GDPR. Forescout can:
Government Solution Brief
As cyberthreats increase in numbers and effectiveness, government agencies must rethink how to eliminate intrusions, protect sensitive information and mitigate exposure to cyberattacks.
“When we start enriching data from other tools with accurate, real-time data from Forescout, our cybersecurity team is able to make data-driven decisions with confidence. It allows me to sleep at night.”
NIST RMF (Risk Management Framework)
Enforce a unified network security policy to address NIST RMF requirements
Forescout CounterACT® helps you proactively enforce a unified network security policy to address National Institute for Standards and Technology (NIST) RMF requirements in three key ways:
*As of December 31, 2016
CONTINUOUS DIAGNOSTICS AND MITIGATION (CDM)
The Department of Defense has thousands of networks, each with many more thousands of connected things such as routers, switches, PCs and servers as well as connected systems (HVAC controls, security sensors, cameras, etc.) and mobile devices (phones and tablets). If you don’t know that a device is connected, you can’t defend it, the data on the device or the data it generates. Comply to Connect (C2C) is changing all of that.
C2C is a framework that restricts unauthorized device access; reduces known vulnerabilities; takes actions to detect, identify, characterize, report and deter anomalous behaviors; and maintains the secure configuration of the network and its information resources.
The C2C framework is designed to identify, address and mitigate the risks posed by unknown, unsecured devices and unauthorized users connecting to networks. Put simply, C2C is a network-based security policy monitor and enforcer that delivers continuous monitoring and remediation.
Host Base Security System (HBSS)
The HBSS Program is being phased out of the DoD and is being replaced by the Endpoint Security Solution (ESS). During this process and even beyond, DISA will continue to support the DoD Anti-Virus/Anti-Spyware Enterprise Capability.
The DoD antivirus program supports the operation and defense of the DoD Information Network (DoDIN) by providing virus protection to DoDIN assets.
Currently, the solution licensed by DISA for DoD use is McAfee AV/AS. This solution can be standardized and deployed both enterprise-wide and on isolated network enclaves (e.g., a tactical environment) to protect laptops, desktops, servers and e-mail gateways.
SOURCE: Defense Information System Agency (DISA) web site (www.disa.mill)
C2C capabilities deliver orchestration of the DoD’s other management and cybersecurity tools, including the current Anti-Virus/Anti-Spyware Enterprise Capability. Using the C2C PMO -provided Forescout eyeExtend-McAfee module, the C2C framework can work together seamlessly to identify endpoints whose agents are not loaded, not configured properly, not running, or not communicating with their parent server. C2C then automatically triggers an action to remediate the issue. If resolution cannot be accomplished automatically between the tools, the C2C platform can automatically generate a trouble ticket to ensure the administrators are alerted that a device’s security tools are not providing the necessary protection. Once fixed, the device automatically receives its appropriate access to network resources.
Endpoint Security Solution
The DoD Endpoint Security Solutions (ESS) is an integrated set of capabilities that work together to detect, deter, protect, and report on cyber threats across all DoD networks.
Endpoint security is a DoD-wide effort that leverages the collaborative capabilities of the NSA, Services, DoD CYBER Range, Red Team support, and continuous market research through components and the MITRE corporation. The Endpoint ecosystem includes integrated solutions such as Comply to Connect (C2C), Containment, Visibility, and Assessment tools. The Endpoint ecosystem is constantly reviewed via the NIPRNet/SIPRNet Cyber Security Architecture Review (NSCSAR) process to ensure appropriate protections are in place to meet the ever-changing threat.
Provide Endpoint Security tools to prevent targeted and deliberate computer network operations against DoDIN, destructive activity (malware infections, e.g. viruses, Trojan horses, worms, bots, and rootkits) from nation states, criminals, hackers. Evolve DoD HBSS to Endpoint Security and integrate endpoint data to situational awareness tools such as SECDEF CYBER SCORE CARD.
SOURCE: Defense Information System Agency (DISA) web site (www.disa.com)
C2C capabilities deliver orchestration of the DoD’s other management and cybersecurity tools, including the current Host Based Security System (HBSS), and will continue to perform this critical function as the DoD’s Endpoint Security Solution evolves. Using the C2C PMO provided Forescout eyeExtend modules, the C2C framework can work together seamlessly to identify endpoints whose agents are not loaded, not configured properly, not running or not communicating with their parent server. C2C then automatically triggers an action to remediate the issue, and if resolution cannot be accomplished automatically between the tools, the C2C platform can automatically generate a trouble ticket to ensure the administrators are alerted that a device’s security tools are not providing the necessary protection of the device. Once fixed, the device is automatically given its appropriate access to network resources.
Assured Compliance Assessment Solution (ACAS)
The Assured Compliance Assessment Solution (ACAS) is an integrated software solution that provides automated network vulnerability scanning, configuration assessment, and network discovery.
ACAS consists of a suite of products to include the Security Center, Nessus Scanner and the Nessus Network Monitor (formerly the Passive Vulnerability Scanner) which is provided by DISA to DoD Customers at no cost. DISA's Cyber Development (CD) is provides program management for the Enterprise ACAS offering as well as help desk support and training.
SOURCE: Defense Information System Agency (DISA) web site (www.disa.mil)
C2C capabilities deliver orchestration of the DoD’s other management and cybersecurity tools, including ACAS. Using the C2C PMO-provided Forescout eyeExtend-Tenable module, the C2C framework can work seamlessly to identify endpoints that have not been scanned for vulnerabilities by ACAS within the policy-derived timeline. C2C then automatically triggers the ACAS tools to scan the device and report any findings back into the C2C platform. If any issues are detected, C2C can orchestrate remediation actions in multiple ways, and if nothing anomalous is discovered, the device is allowed to connect to the network as normal.
Command Cyber Readiness Inspections (CCRI)
Comply with CCRI Guidelines
C2C capabilities assist every DoD organization in getting – and staying – ready for CCRIs and CCORIs. Visibility (discovery, classification and compliance assessment) of every connecting device as well as the continuous monitoring of all connected endpoints, gives operators a new understanding of their network cyber readiness at all times. C2C capabilities also automate routine administrative functions, which raises the level of cyber readiness across all endpoints while cyber personnel focus their attention on the tough problems that need “gray matter” expertise. The C2C platform is a force multiplier for any team that has a pending inspection.
802.1X is a network authentication protocol that permits a device to access an organization’s network by evaluating its credentials (user name/password or a digital certificate) against information held within an authentication server (usually RADIUS server). The 802.1X protocol performs no analysis on a device’s security state and makes no assessment as to whether the user of a device is in fact the correct, authorized user.
For many years, 802.1X was an adequate way to manage network access control (NAC) because networks consisted mainly of traditional IT devices such as laptops, desktops and servers, all of which run mainstream operating systems such as Windows, macOS or Linux. The absence of any NAC protocol or technology for non-traditional devices connecting to networks is the precise gap C2C seeks to close. C2C effectively ends the policy of relying on 802.1X for NAC because the entire program is premised on the need for the DoD to identify, assess and secure all assets, not just conventional computers.
C2C delivers agentless technology to identify, authenticate and assess every device for compliance before it is authorized and granted access to enterprise network resources. Compliant devices recieve the requisite level of network access to perform their assigned function. Noncompliant devices receive limited access to network services and are effectively quarantined to be automatically reassessed, remediated and granted network access once compliant. Unauthorized devices are restricted and unable to access the network.
U.S. GOVERNMENT CERTIFICATIONS
Trust a solution with the highest levels of military-grade and government security certifications
Forescout has achieved the following U.S. Government certifications and compliances:
U.S. GOVERNMENT CONTRACT VEHICLES
Ease procurement of U.S. Government contracts
The Forescout platform is authorized by the U.S. Government on the following contracts and purchasing schedules:
COMMAND CYBER READINESS INSPECTION (CCRI)
Improve your CCRI Score with the Forescout platform
The Forescout Visibility Platform helps improve all three components of your CCRI score.
Executive Summary Command Cyber Readiness InspectionRead
Quantify the ROI of your Visibility and Control
Improve your CCRI Score with the Forescout platform
In just 10 minutes we’ll help benchmark and analyze your opportunities for device and network security improvements
Get Your Personal AssessmentRead