NIST out to ensure security products comply with vulnerability assessment language

Draft publication sets rules for laboratories testing products for OVAL compliance

A draft of requirements for determining the compliance of security scanning products with the Open Vulnerability and Assessment Language (OVAL) has been released by the National Institute of Standards and Technology.

The requirements will be used by accredited independent laboratories for testing products for OVAL, one of the Security Content Automation Protocols (SCAP).

“The OVAL Language is an XML specification for exchanging technical details on how to check systems for security-related software flaws, configuration issues, and patches,” the document, Interagency Report 7669 states.

It standardizes the three main steps of the vulnerability assessment process for IT systems: representing configuration information of systems for testing, analyzing the system for the specified machine state (including vulnerabilities, configuration and security patches), and reporting the results. “OVAL enables open and publicly available security content and standardizes the transfer of this content across the entire spectrum of information security tools and services,” the document says.

Related story:

NIST updates SCAP validation requirements 

OVAL is maintained by the Mitre Corp. The test requirements were developed for OVAL Version 5.6. operating systems supported by the language are Linux Red Hat EL 5; Apple Mac OS X 10.6; Windows XP, Vista, 7, Server 2003 and Server 2008; and Sun Solaris 10.

NIST’s OVAL Validation Program supersedes the compatibility program that had been run by Mitre.

OVAL is one of six protocols that make up SCAP, a NIST specification for expressing and manipulating security data in standardized ways. Other protocols are the Common Vulnerability and Exposures dictionary, the Common Configuration Enumeration dictionary, the Common Platform enumeration naming convention for hardware and software, the Extensible Configuration Checklist Description Format, and the Common Vulnerability Scoring System.

SCAP is intended to automate the task of managing the configurations and security settings of information systems, which can be a challenge to do manually because the of size, complexity and constant changes in the systems. A wide variety of hardware and software platforms typically are used for many purposes with differing levels of risk in a single environment, and the platforms and the threats to them are constantly evolving.

In addition to NIST and Mitre, SCAP components also are maintaining by the Forum for Incident Response and Security Teams. NIST provides SCAP content such as vulnerability and product enumeration identifiers via the National Vulnerability Database. Since last year, the Office of Management and Budget required agencies to use SCAP-validated products to check compliance with the Federal Desktop Core Configuration settings for government computers running Windows XP and Vista.

The new report is intended for accredited product testing laboratories, vendors interested in OVAL validation, and organizations wanting to deploy OVAL tools.

Comments on the draft should be sent to [email protected] by April 9.

About the Author

William Jackson is a Maryland-based freelance writer.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected