Updated SCAP specs aim to improve automated security checks
The Security Content Automation Protocol (SCAP), which helps agencies ensure the security of their networks, is being updated with four new specifications for automated security assessments of information systems.
Drafts of the new specs have been released by the National Institute of Standards and Technology in Special Publication 800-126 Revision 2, "The Technical Specification for the Security Content Automation Protocol: Version 1.2."
An increased emphasis on continuous monitoring and real-time awareness of the security status of federal IT systems makes the automation imperative. SCAP helps enable automation by supporting automated checking of configuration, vulnerability and patch status of systems, as well as compliance with security requirements. It also includes protocols for security measurement.
Continuous monitoring has some growing up to do
The protocol uses standardized software flaw and security configuration reference data provided by the National Vulnerability Database (NVD), which is managed by NIST and sponsored by the of Homeland Security Department. The NVD provides a unique identifier for each reported software vulnerability. According to NIST, the database has grown from 6,000 listings in 2002 to more than 46,000 listings.
The federal government and private industry are adopting SCAP as a security tool, and it has been widely incorporated by major security product vendors. Agencies are required to use SCAP-compliant tools when available, and the specifications provide directions for implementing the latest versions of the protocol into products.
“By detailing the specific and appropriate usage of the SCAP 1.2 components and their interoperability, NIST encourages the creation of reliable and pervasive SCAP content and the development of a wide array of products that leverage SCAP,” the NIST specifications say.
One of the strengths of SCAP is the standardization of naming schemes for software vulnerabilities and weaknesses introduced by the configuration of software. An updated “Guide to Using Vulnerability Naming Schemes” (SP 800-51 Revision 1) has been released by NIST.
Draft specifications for SCAP Version 1.2 are being released just four months after the finalization of Version 1.1. The draft revision of SP 800-126 defines the technical composition of SCAP Version 1.2 in terms of its component specifications, their interrelationships and interoperation, and the requirements for SCAP content.
Major changes from SCAP Version 1.1 to 1.2 include the addition of four specifications:
- Asset Reporting Format (ARF).
- Asset Identification.
- Common Configuration Scoring System (CCSS).
- Trust Model for Security Automation Data (TMSAD), which provides support for digitally signing SCAP source and result content.
Specifications included in the current Version 1.1 are:
- eXtensible Configuration Checklist Description Format (XCCDF).
- Open Vulnerability and Assessment Language (OVAL).
- Open Checklist Interactive Language (OCIL).
- Common Platform Enumeration (CPE).
- Common Configuration Enumeration (CCE).
- Common Vulnerabilities and Exposures (CVE).
- Common Vulnerability Scoring System (CVSS).
The new draft version also includes new source and result data stream models and upgrades OVAL support to version 5.10; CPE support to version 2.3; and XCCDF support to version 1.2.
The protocol is expected to continue evolving to expand support for defining and measuring effective security controls, assessing and monitoring information security, and managing systems in accordance with risk-management frameworks.
Comments on draft SP 800-126 Revision 2 should be sent by Aug. 1 to firstname.lastname@example.org with "Comments SP 800-126" in the subject line.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.