National Vulnerability Database

National Vulnerability Database

National Vulnerability

ForeScout CounterACT STIG Version 2 Checklist Details (Checklist Revisions)

Supporting Resources:


Target CPE Name
ForeScout CounterACT NDM cpe:/a:forescout:counteract_ndm:- (View CVEs)
ForeScout CounterACT ALG cpe:/a:forescout:counteract_alg:- (View CVEs)

Checklist Highlights

Checklist Name:
ForeScout CounterACT STIG
Checklist ID:
Version 2
Review Status:
Governmental Authority: Defense Information Systems Agency
Original Publication Date:

Checklist Summary:

The ForeScout CounterACT Security Technical Implementation Guide (STIG) provides the technical security policies, requirements, and implementation details for applying security concepts to the CounterACT Enterprise Manager (EM) and CounterACT appliance. The STIG is a package of two STIGs that together ensure the secure implementation of the Network Device Management (NDM) function and the Network Access Control (NAC) traffic services. ForeScout CounterACT provides NAC and threat protection for the enterprise. CounterACT integrates with compatible switches and other network infrastructure equipment to enforce DoD access control policies for detected devices. Devices may be managed or unmanaged and the assessment policies are largely vendor-specific since CounterACT has a large network product database. CounterACT also provides access control network services that are user aware. These services allow trusted users who are using validated endpoints configured in compliance with the organization’s security policies to remain productive while protecting critical network resources and sensitive data. CounterACT implements functions such as traffic filtering, authentication, access, and authorization functions based on computer and user privileges. However, the directory service (e.g., Active Directory or LDAP) must not be installed on CounterACT, particularly if the gateway resides on the untrusted zone of the Enclave. Although CounterACT can be upgraded and configured with features such as guest access and the ability to protect network resources from threats such as malware and worms, these upgrades are not within the scope of this document and these capabilities. An Enterprise Manager, as well as at least one appliance, should be implemented to meet redundancy and centralization requirements. The Enterprise manager allows the organization to meet centralized management requirements and provides more robust management and auditing tools. Audit tools for CounterACT include the Web Portal and Enterprise Management software. Both tools require authenticated access, although the Web Portal can only work with password access and thus must only be used from the management VLAN and management station. Additionally, because CounterACT can also be configured for malware threat protection, guest access, and other capabilities, a complete security assessment requires assessing all modules integrated into the specific DoD implementation. Each security review must include the ForeScout CounterACT NDM STIG and ForeScout CounterACT ALG STIG, at a minimum, regardless of the role in the network architecture or modules installed. Since product STIGs are not available for all configurations/modules, use of existing generic technology STIGs may be required to secure these functions. This STIG focuses on the hardware-based CounterACT platform. The CounterACT virtual platform was not tested and is not part of the scope of this STIG.

Checklist Role:

  • Multi-Functional Peripherals

Known Issues:

Not provided.

Target Audience:

Not provided.

Target Operational Environment:

  • Managed
  • Specialized Security-Limited Functionality (SSLF)

Testing Information:

Not provided.

Regulatory Compliance:

DoD Instruction (DoDI) 8500.01


Comments or proposed revisions to this document should be sent via email to the following address: DISA will coordinate all change requests with the relevant DoD organizations before inclusion in this document. Approved changes will be made in accordance with the DISA maintenance release schedule.


Not provided.

Product Support:

Parties within the DoD and Federal Government’s computing environments can obtain the applicable STIG from the Information Assurance Support Environment (IASE) website. This site contains the latest copies of any STIGs, SRGs, and other related security information. The address for the IASE site is

Point of Contact:


Not provided.


Not provided.

Change History:

updated title and product associations
updated to v1,r2 - 02/16/2018
Updated to FINAL - 3/18/2018
Corrected Title - 5/9/18
Updated URLs - 6/5/19


URL Description


Reference URL Description ForeScout CounterACT Ver 1 Overview ForeScout CounterACT STIG Ver 1 Release Memo

NIST checklist record last modified on 06/06/2019