Compliance round-upNIST release SCAP

The National Institute of Standards and Technology has released tools to help automate vulnerability management and evaluate compliance with federal IT security requirements.

The Security Content Automation Protocol (SCAP), which is an expansion of the National Vulnerability Database, offers an automated checklist based on recognized standards for naming software flaws and configuration problems in IT products. The tool will help IT managers test for vulnerabilities and rank these vulnerabilities by severity of impact. GCN’s William Jackson reports that the checklist files are mapped to NIST specifications for compliance with the Federal Information Security Management Act (FISMA) so that the output can be used to document FISMA compliance. Peter Mell, NVD program manager, said that “FISMA is a very thorough and comprehensive framework for security computers…. but it doesn’t deal with diving down at low level configurations and settings where vulnerabilities are exploited. It’s been difficult to go from the high level framework to actually flipping bits on computers to secure them.” SCAP aims to help make the step from FISMA compliance to operational IT security.

The initial SCAP release checks for vulnerabilities in Windows Vista, XP, and Server 2003 operating systems as well as Office 2007 and Internet Explorer 7.0. It is now being expanded to deal with the products of additional vendors.

The six open standards SCAP is currently using for enumerating, evaluating, and measuring the impact of software problems and reporting the results:

* Common Vulnerabilities and Exposures, CVE, from MITRE Corp.; standard identifiers and dictionary for security vulnerabilities related to software flaws.

* Common Configuration Enumeration, CCE, from MITRE; standard identifiers and dictionary for system security configuration issues.

* Common Platform Enumeration, CPE, from MITRE; standard identifiers and dictionary for platform and product naming.

* eXtensible Configuration Checklist Description Format, XCCDF, from the National Security Agency and NIST; a standard XML for specifying checklists and reporting results.

* Open Vulnerability and Assessment Language, OVAL, from MITRE; a standard XML for security testing procedures and reporting.

* Common Vulnerability Scoring System, CVSS, from the Forum of Incident Response and Security Teams; a standard for conveying and scoring the impact of vulnerabilities.