[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] NIST releases FISMA security control tools


By William Jackson
GCN Staff

The National Institute of Standards and Technology has released a suite 
of tools to help automate vulnerability management and evaluate 
compliance with federal IT security requirements.

The Security Content Automation Protocol is an expansion of the National 
Vulnerability Database. It is an automated checklist that using a 
collection of recognized standards for naming software flaws and 
configuration problems in specific products. It can help test for the 
presence of vulnerabilities and rank them according to severity of 
impact. The checklist files are mapped to NIST specifications for 
compliance with the Federal Information Security Management Act, so that 
the output can be used to document FISMA compliance.

FISMA is a very thorough and comprehensive framework for security 
computers, said Peter Mell, NVD program manager. But it doesnt deal with 
diving down at low level configurations and settings where 
vulnerabilities are exploited. Its been difficult to go from the high 
level framework to actually flipping bits on computers to secure them.

SCAP is intended to help make the step from FISMA compliance to 
operational IT security.

Because much of government is standardized on Microsoft products, the 
initial SCAP release checks for vulnerabilities in Windows Vista, XP and 
Server 2003 operating systems as well as Office 2007 and Internet 
Explorer 7.0. It is being rapidly expanded to encompass additional 
vendors and products, Mell said.

SCAP currently uses six open standards for enumerating, evaluating and 
measuring the impact of software problems and reporting the results:

* Common Vulnerabilities and Exposures, CVE, from MITRE Corp.; standard 
  identifiers and dictionary for security vulnerabilities related to 
  software flaws.
* Common Configuration Enumeration, CCE, from MITRE; standard 
  identifiers and dictionary for system security configuration issues.
* Common Platform Enumeration, CPE, from MITRE; standard identifiers and 
  dictionary for platform and product naming.
* eXtensible Configuration Checklist Description Format, XCCDF, from the 
  National Security Agency and NIST; a standard XML for specifying 
  checklists and reporting results.
* Open Vulnerability and Assessment Language, OVAL, from MITRE; a 
  standard XML for security testing procedures and reporting.
* Common Vulnerability Scoring System, CVSS, from the Forum of Incident 
  Response and Security Teams; a standard for conveying and scoring the 
  impact of vulnerabilities.

Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com