Comparing the PCI, CIS and FDCC Certification Standards
As a vendor, Tenable has to demonstrate compliance in many different types of categories. The Payment Card Industry, the Center for Internet Security and US government's FDCC program all have certification standards and procedures for vendors like Tenable. Since Tenable is certified in most of these these categories (we're in the process of becoming an ASV), I though it would be interesting for our blog readers to share some of our insights into the differences and misconceptions between them.
PCI
The biggest misconception about PCI is that you need to be an Authorized Scanning Vendor (ASV) to be relevant in the industry. This isn't true, otherwise you would not see the focus on PCI from other log management, intrusion detection or antivirus vendors.
Being an ASV means that you can perform a remote, un-credentialed vulnerability scan with minimal false positives and false negatives. Unlike CIS or FDCC, the ASV scanning test is a secret. There is no published list of vulnerabilities an ASV is required to find. It's also a small-scope test but does test the comprehensiveness of the scanner.
The ASV certification only tests the scanning service itself. It does not actually test the products a company sells.
FDCC
The US government's FDCC (SCAP) program involves laboratory testing to ensure that vendors like Tenable can consume XCCDF content, perform an audit and generate a compliant OVAL report.
As a vendor, we select a lab that is certified by NIST to perform this testing. We then go into the lab, train the analysts performing the test, and then walk away. That is the coolest part. No other certification that Tenable does is as hands-off as that.
The largest misconception about the FDCC certification is that they are all the same. You can be an FDCC certified vendor just by demonstrating that you have CVE entries in your vulnerability scanner results. There are other more advanced FDCC standards, which means you can be certified that you can do the actual XCCDF based configuration auditing. FDCC only tests a product's ability to parse XCCDF content as it pertains to FDCC policies for Windows XP and Vista. It is not a generic XCCDF certification.
CIS
The last standard I'd like to talk about is being a certified CIS vendor. The CIS organization will certify specific vendor audits for technologies, but does not certify the actual product. In Tenable's case, we've been certified in performing an audit with Nessus for many different types of routers, operating systems and applications.
To get certified, we need to demonstrate that our audits can detect compliant and non-compliant settings. This data is prepared and sent to the CIS organization, where it is then reviewed.
They don't perform any actual testing and also don't dictate how the tests are supposed to be done. I like the fact that CIS does not mandate how a test is performed which means you can use scanning, a credentialed audit, an agent, a reference gold image or magic, ESP and UFOs. Compared to PCI or FDCC, these standards often dictate how to configure a scan or leverage credentials which limits a vendor's ability to innovate.
Conclusion
As security practitioners, it's important to know the major and minor differences between these standards, as they are often referenced in the marketing claims of vendors, in the media and perhaps even auditors who aren't all equally aware of the technical details. If you have feedback on this, feel free to message me on Twitter @RonGula.
Related Articles
Study: Tenable Offers Fastest, Broadest Coverage of CISA's KEV Catalog
October 23, 2023Tenable ranked first in multiple vulnerability management categories, including the most comprehensive coverage and quickest detection of CISA's Known Exploited Vulnerabilities, according to a Miercom report commissioned by Tenable.
Tuning Network Assessments for Performance and Resource Usage
September 13, 2022Using the correct tool for the job and optimizing scanner placement will have a large impact on scan efficiency with Nessus, Tenable.io and Tenable.sc.
Terrascan Joins the Nessus Community, Enabling Nessus To Validate Modern Cloud Infrastructures
May 17, 2022The addition of Terrascan to the Nessus family of products helps users better secure cloud native infrastructure by identifying misconfigurations, security weaknesses, and policy violations by scanning Infrastructure as Code repositories.
Cybersecurity Snapshot: NIST Program Probes AI Cyber and Privacy Risks, as U.S. Gov’t Tackles Automotive IoT Threat from Russia, China
September 27, 2024A new NIST program will revise security frameworks like NIST’s CSF as AI risks intensify. Plus, the U.S. may ban cars with Russian and Chinese IoT components. Meanwhile, the CSA adds AI insights to its zero trust guide. And get the latest on cybersecurity budgets, SBOMs and the Ghost cybercrime platform!
CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177: Frequently Asked Questions About Common UNIX Printing System (CUPS) Vulnerabilities
September 26, 2024Frequently asked questions about multiple vulnerabilities in the Common UNIX Printing System (CUPS) that were disclosed as zero-days on September 26.
Establishing a Cloud Security Program: Best Practices and Lessons Learned
September 26, 2024As we’ve developed Tenable’s cloud security program, we in the Infosec team have asked many questions and faced interesting challenges. Along the way, we’ve learned valuable lessons and incorporated key best practices. In this blog, we’ll discuss how we’ve approached implementing our cloud security program using Tenable Cloud Security, and share recommendations that you may find helpful.
- Nessus
- Security Frameworks
- Standards
- Vulnerability Management