New SCAP testing requirements cover Windows 7, IE 8
The National Institute of Standards and Technology has released for public comment a draft of updated validation testing requirements for the latest version of the Security Content Automation Protocol.
Interagency Report 7511 Revision 3 includes Government Configuration Baseline test requirements for Microsoft Windows 7 and Internet Explorer 8.
SCAP is a NIST specification for expressing and manipulating security data in standardized ways. It can enumerate product names and vulnerabilities, including software flaws and configuration issues, identify the presence of vulnerabilities and assign severity scores to software flaws.
Updated SCAP specs aim to improve automated security checks
Agencies are expected to use scanning and monitoring tools that incorporate SCAP when possible. NIST accredits independent laboratories to perform validation testing under the National Voluntary Laboratory Accreditation Program.
This interagency report defines the requirements and test procedures for validating products based on a defined set of capabilities. The requirement, when finalized, would supersede previous versions of test requirements for SCAP version 1.0 released in 2008, 2009, 2010 and January 20111.
It is written primarily for accredited laboratories, vendors that are interested in receiving SCAP validation for their products, and organizations that want to deploy SCAP products.
The specifications included in SCAP Version 1.2 are:
Extensible Configuration Checklist Description Format (XCCDF) 1.2, an Extensible Markup Language (XML) specification for structured collections of security configuration rules used by operating system (OS) and application platforms.
Open Vulnerability and Assessment Language (OVAL) 5.10, an XML specification for exchanging technical details on how to check systems for security-related software flaws, configuration issues, and patches.
Open Checklist Interactive Language (OCIL) 2.0, a language for representing checks that collect information from people or from existing data stores made by other data collection efforts.
Common Configuration Enumeration (CCE) 5, a dictionary of names for software security configuration issues (e.g., access control settings, password policy settings).
Common Platform Enumeration (CPE) 2.3, a naming convention for hardware, OS, and application products.
Common Vulnerabilities and Exposures (CVE), a dictionary of names for publicly known security-related software flaws.
Asset Identification (AI) 1.1, a format for uniquely identifying assets based on known identifiers and/or known information about the assets.
Asset Reporting Format (ARF) 1.1, a format for expressing the transport format of information about assets and the relationships between assets and reports.
Common Vulnerability Scoring System (CVSS) 2.0, a method for classifying characteristics of software flaws and assigning severity scores based on these characteristics.
Common Configuration Scoring System (CCSS) 1.0, a system for measuring the relative severity of system security configuration issues.
Trust Model for Security Automation Data (TMSAD) 1.0, a specification for using digital signatures in a common trust model applied to other security automation specifications.
Comments on the draft should be sent to IR7511comments@nist.gov by Dec. 16.