Checklist Summary:

The Forescout Security Technical Implementation Guide (STIG) provides the technical security policies, requirements, and implementation details for applying security concepts to the Forescout Enterprise Manager (EM) and Forescout appliance. The STIG is a package of two STIGs that together ensure the secure implementation of the Network Device Management (NDM) function and the Network Access Control (NAC) traffic services. Forescout provides a platform that continuously identifies, segments, and enforces compliance of every connected thing across any heterogeneous network to secure the Enterprise of Things. Forescout is vendor agnostic and integrates with compatible switches and other network infrastructure equipment to achieve full visibility into enterprise devices and enforce DoD access control policies. Devices may be managed or unmanaged, agentless or with agent, and are assessed by policy directly configured with attributes collected during the initial scan process. Forescout provides access control network services that are user aware. These services allow trusted users who are using validated endpoints configured in compliance with the organization’s security policies to remain productive while protecting critical network resources and sensitive data. Forescout implements functions such as traffic filtering, authentication, access, and authorization based on computer and user privileges. Forescout also integrates with various third-party tools, allowing for the orchestration and automation of various enterprise cybersecurity functions. An Enterprise Manager, as well as at least one appliance, should be implemented to meet redundancy and centralization requirements. The Enterprise manager allows the organization to meet centralized management requirements of multiple appliances and provides a more robust management and auditing tool. Audit tools for Forescout include the Web Portal and Enterprise Management software. Additionally, because Forescout can also be configured for malware threat protection, guest access, and other capabilities, a complete security assessment requires assessing all modules integrated into the specific DoD implementation. Each security review must include the Forescout NDM STIG and Forescout NAC STIG, at a minimum, regardless of the role in the network architecture or modules installed. Because product STIGs are not available for all configurations/modules, use of existing generic technology STIGs may be required to secure these functions. This STIG focuses on the hardware-based Forescout platform. The Forescout virtual platform was not tested and is not part of the scope of this STIG.

Checklist Role:

• Business Productivity Application

Known Issues:

Not provided.

Target Audience:

Parties within the DoD and Federal Government’s computing environments can obtain the applicable STIG from the Cyber Exchange website at https://cyber.mil/.This site contains the latest copies of STIGs, SRGs, and other related security information. Those without a Common Access Card (CAC) that has DoD Certificates can obtain the STIG from https://public.cyber.mi

Target Operational Environment:

• Managed
• Specialized Security-Limited Functionality (SSLF)

Testing Information:

Not provided.

Regulatory Compliance:

DoDI 8500.01

Comments/Warnings/Miscellaneous:

Not provided.

Disclaimer:

Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. DISA will coordinate all change requests with the relevant DoD organizations before inclusion in this document. Approved changes will be made in accordance with the DISA maintenance release schedule.

Product Support:

Parties within the DoD and Federal Government’s computing environments can obtain the applicable STIG from the Cyber Exchange website at https://cyber.mil/.This site contains the latest copies of STIGs, SRGs, and other related security information. Those without a Common Access Card (CAC) that has DoD Certificates can obtain the STIG from https://public.cyber.mi

Point of Contact:

disa.stig_spt@mail.mil

Sponsor:

Not provided.

Licensing:

Not provided.

Change History:

updated URLs - 10/27/2021
updated URLs - 1/26/2022
updated SHA - 2/1/22
Updated URLs per DISA - 7/25/23

Dependency/Requirements:

URL	Description

References:

Reference URL	Description

NIST checklist record last modified on 07/25/2023