NIST lists SCAP-validated tools
- By William Jackson
- Feb 06, 2008
A new Web page
hosted by the National Institute of Standards and Technology lists products that have been validated to scan the security configurations of Windows operating systems on federal desktop PCs.
The scanners use the Security Content Automation Protocol to check for compliance with the Federal Desktop Core Configuration (FDCC) standards. So far, three products have been validated by independent laboratories under NIST's National Voluntary Laboratory Accreditation Program.
The Office of Management and Budget required agencies that use Windows XP and Vista to comply with the FDCC by Feb. 1. OMB also required agencies to use SCAP scanning tools to ensure that configurations were not being altered.
'Your agency can now acquire information technology products that are self-asserted by information technology providers as compliant with the Windows XP & Vista FDCC, and use NIST's Security Content Automation Protocol to help evaluate providers' self-assertions,' OMB wrote in a July 31 memo to federal chief information officers. However, 'information technology providers must use SCAP-validated tools, as they become available, to certify their products do not alter these configurations, and agencies must use these tools when monitoring use of these configurations.'
NIST developed SCAP in cooperation with the Defense and Homeland Security departments and Mitre Corp. to provide technical specifications for identifying, enumerating, assigning and sharing security-related data. Vendors have developed tools using the protocol to help automate IT security operations, but as with any protocol, proper implementation must be validated.
NIST established a SCAP validation program last summer, accrediting three laboratories, and the first FDCC scanners have recently been evaluated. The new page is hosted in NIST's National Vulnerability Database Web site. Currently validated products all scan only Windows XP Professional SP 2. They are:
- SecureFusion v3.501 from Gideon Technologies Inc. of Duluth, Ga.
- C5 Compliance Platform v. 3.3.1 from Secure Elements Inc. of Herndon, Va.
- Secutor Prime v2.0.4 from ThreatGuard Inc. of San Antonio.
Meanwhile, a number of other products are in the process of being evaluated.
Currently accredited laboratories are EWA-Canada, of Ottawa; SAIC Accredited Testing and Evaluation Laboratories, of Columbia, Md.; and ICSA Labs of Mechanicsburg, Pa.
William Jackson is a Maryland-based freelance writer.