NIST Eyes Automated Security SettingDraft Pub Explores SCAP NIST computer scientists are providing guidance for a new way to automate the task of verifying computer security settings, and are seeking comment before issuing its final publication this summer.
Known as the Security Content Automation Protocol, or SCAP, the specification has recently been incorporated into software scanners for checking security settings in federal computers.
A new draft publication from the National Institute of Standards and Technology furnishes an overview of SCAP, discusses programs for ensuring that products implement SCAP properly and recommends how federal agencies and other organizations can use SCAP effectively. "You can do a lot of things with SCAP," NIST computer scientist Matthew Barrett, the publication's lead author, said in a statement. "An organization can express vulnerability assessment instructions in a machine-readable format, and SCAP-validated tools can use that information to automate many computer security activities."
The Office of Management and Budget last July began to require federal agencies to employ SCAP-validated products to measure compliance with the Federal Desktop Core Configuration, or FDCC, a group of security settings for federal computers that run Windows XP and Vista operating systems. SCAP lists known security-related configuration problems and software flaws and can identify these vulnerabilities and evaluate results to determine FDCC compliance, NIST says. The scan results are in a standardized format consistent across agencies and readable by other SCAP tools.
NIST says agencies can use SCAP to automate technical compliance with other information technology requirements, such as the Federal Information Security Management Act as well as map high-level FISMA controls such as identifying, reporting and correcting information system flaws or making sure patches for software are up to date.
SCAP incorporates six open specifications, including a dictionary of names for security-related software flaws; naming conventions for hardware, operating systems and applications; and a specification for exchanging technical details on how to check systems for security-related issues. SCAP combines the specifications and incorporates two XML-based programming languages for manipulating SCAP-based information.
NIST says vendors are incorporating SCAP into their products, such as those that check for security issues. NIST also manages programs for validating third-party software tools to ensure they properly incorporate SCAP and for accrediting outside laboratories that perform validation tests of SCAP tools.
NIST requests comments on the new publication, 800-117, "Guide to Adopting and Using the Security Content Automation Protocol." E-mail comments to firstname.lastname@example.org by Friday, June 12.