Automated computer security guidelines updated

Tuesday, April 13, 2010 @ 05:04 PM gHale

Public comments to changes in the Security Content Automation Protocol (SCAP) are now under review.

SCAP is a suite of specifications that use eXtensible Markup Language (XML) to standardize how software products exchange information about software flaws and security configurations. The National Institute of Standards and Technology (NIST) issued the draft publication in December.[private]

SCAP incorporates software flaw and security configuration standard reference data from the National Vulnerability Database, managed by NIST and sponsored by the Department of Homeland Security. SCAP supports automated vulnerability checking, technical control compliance activities and security measurement. The federal government is adopting SCAP and encourages its use to automate security activities including compliance with the Federal Desktop Core Configuration (FDCC), a group of security settings mandated for federal computers that run Windows XP and Vista. Agencies can use SCAP to automate technical compliance with other information technology requirements, such as the Federal Information Security Management Act (FISMA) and the Payment Card Industry (PCI) framework.

Special Publication 800-126 Revision 1, The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.1, facilitates development of interoperable SCAP tools and content. The publication has significant changes from the version 1.0 specification defined in the original Special Publication 800-126 release.

The most notable change is the addition to SCAP of the Open Checklist Interactive Language (OCIL), which is a framework for expressing security checks that a user cannot fully automated—those that require some human interaction or feedback. OCIL provides a standardized way of performing these manual checks through questionnaires, with language constructs for questions, user instructions and possible responses to questions.

Click on for the SP 800-126 Revision 1, The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.1.[/private]

Leave a Reply

You must be logged in to post a comment.