Frequently Asked Questions
We have outlined a number of frequently asked questions around FIPS compliant HCL AppScan 360°. Please review the FAQ’s below. We also invite you to view our short video answering questions about implementation.
Licensing
-
There are multiple license types available that accommodate one of the following:
Number of applications to protect
Number of contributing users
Desired scan concurrency
Speak with your HCLSoftware Federal Client Director or one of our business partners to determine the right approach for your organization
-
No, it does not require a license server. An HCL AppScan 360° instance is activated by entering a token, provided via email, into the user interface.
-
Yes, all licensing options allow you to select the level of concurrency. Beyond the license you are only limited by the resources you provide for the HCL AppScan 360° instance.
FedRAMP (See Video Explainer)
-
HCL AppScan 360° does not require FedRAMP Authorization as it is not delivered as a SaaS. View this short video for the complete details of how your organization would install on your premises or in your private cloud.
See video explainer
-
No, HCL AppScan 360° is not delivered as a vendor-managed Software as a Service. Instead, you manage it as a service. See the brief video for the full deployment options.
DevOps
-
HCL AppScan 360° has a Jenkins plugin to simplify automated security testing governance. It allows:
· Code prep for scanning for SAST
· Submission of scan request to AS 360° (SAST, DAST, SCA)
· Polling for scan completion
· Results retrieval
· Stopping the Jenkins pipeline if your governance policy has been violated
Secure AppSec
-
HCLSoftware developed AppScan 360° to be FIPS 140-3 compliant to provide the security levels our federal customers need. FIPS 140-3 is achievable when you install it in a secure environment:
The receiving Kubernetes cluster, control plane, and addons are FIPS Validated and/or FIPS Ready
The Ubuntu 22.04 PRO with FIPS enabled is used for Node servers and the installation server
The ingress controller used in the cluster is configured securely
-
No, it does not require a license server. An HCL AppScan 360° instance is activated by entering a token, provided via email, into the user interface.
-
Yes, we created HCL AppScan 360° to be run wherever our U.S Federal Government Clients need to access it, including enclaves and secure networks where access to a cloud-based solution would not be accessible.
See the brief video for the full deployment options.
-
Yes, findings from prior scans are evaluated by status, e.g., Open, In Progress, Noise, against the results from a just completed scan. Only findings that are unique to the current scan are counted as new, and previously triaged findings are not re-reported.
Scan Correlation
-
Yes, findings from prior scans are evaluated by status, e.g., Open, In Progress, Noise, against the results from a just completed scan. Only findings that are unique to the current scan are counted as new, and previously triaged findings are not re-reported.

Have more questions?
Reach out to our team and we can assist with any additional information you need.