Presentation is loading. Please wait.

Presentation is loading. Please wait.

Federal Desktop Core Configuration and the Security Content Automation Protocol Peter Mell, National Vulnerability Database National Institute of Standards.

Published byShemar Milson Modified over 9 years ago

Similar presentations

Presentation on theme: "Federal Desktop Core Configuration and the Security Content Automation Protocol Peter Mell, National Vulnerability Database National Institute of Standards."— Presentation transcript:

1 Federal Desktop Core Configuration and the Security Content Automation Protocol Peter Mell, National Vulnerability Database National Institute of Standards and Technology mell@nist.gov John Banghart, Booz Allen Hamilton banghart_john@bah.com Ensuring Secure Computer Configurations within the Federal Government

2 Federal Desktop Core Configuration (FDCC) Standardized security configuration for Windows XP and Windows Vista OMB and the CIO council seek to reduce federal systems vulnerability to individual and state sponsored cyber terrorism “OMB Deep Dive” (Office of President initiative) New government wide program (DOD, Intel, Civilian) that leverages existing components Deadline for deployment is February, 2008 Scope of program requires automation

3 Information Security Automation Program (ISAP) Interagency (NIST, NSA, DISA, OSD, DHS) response to the need for consistent standards-based vulnerability management in the federal government and private industry. Automate the implementation of information system security controls in the IT systems through security-data sharing in standard formats. Security Content Automation Protocol (SCAP) is the technical implementation of ISAP

4 Security Content Automation Protocol (SCAP) Enables standardized and automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA and DoD 8500.2/8510 compliance) Enumeration of vulnerabilities, misconfigurations, platforms, and impact Machine readable security configuration checklists

5 SCAP Components Six open XML standards: Common Vulnerabilities and Exposures (CVE) Dictionary of security related software flaws Common Configuration Enumeration (CCE) Dictionary of software misconfigurations Common Platform Enumeration (CPE) Standard nomenclature and dictionary for product naming eXtensible Checklist Configuration Description Format (XCCDF) Standard XML for specifying checklists Open Vulnerability Assessment Language (OVAL) Standard XML for checking machine state Common Vulnerability Scoring System (CVSS) Standard for scoring the impact of vulnerabilities

6 Software Flaw Management CVE CPE CCE SCAP OVAL CVSS Compliance Management XCCDF Asset Management Configuration Management SCAP Interoperability

7 SCAP Vendors Currently Asserting SCAP Compatibility Planned SCAP Compatibility - FDCC Scanning Capable

8 SCAP Checklists SCAP Checklists: Windows Vista (FDCC Profile) Windows XP (FDCC Profile) Windows Vista Firewall (FDCC Profile) Windows XP Firewall (FDCC Profile) Windows Server 2003 Red Hat Linux Internet Explorer 7 (FDCC Profile) Microsoft Office 2007 Symantec Antivirus

9 SCAP Compliance Program Ensuring security tools comply to the NIST Security Content Automation Protocol (SCAP) enable agencies to continuously monitor systems against OMB mandated configuration settings (results mapped to FISMA) Supports Multiple Initiatives: OMB FDCC Secure Configuration Effort NIST FISMA Implementation Phase II (also applies to NIST HIPAA work) Information Security Automation Program (ISAP): OSD, DISA, NSA, DHS, NIST OSD Computer Network Defense Pilot NIST Checklist Program NIST National Vulnerability Database

10 SCAP and FISMA SCAP checklists have NIST 800-53 mappings for the recommended configuration settings SCAP compliant tools report on the compliance of the setting to FDCC and to the corresponding 800-53 technical control(s) Report provides evidence chain for due diligence.

11 Putting It Together Procurement Agencies require vendor assertion of FDCC compliance using language from OMB Memo M-07-18 Agency Software Acceptance Testing Agencies verify accuracy of vendor assertion using SCAP compliant tools Routine Monitoring Continuous monitoring of agency computer configurations Ensure that configuration hasn’t been altered through patches, software installation, or human interaction NIST FISMA Phase II Certification FISMA reporting through 800-53 mappings in SCAP checklists

12 Moving Forward Peter Mell, National Vulnerability Database National Institute of Standards and Technology mell@nist.gov John Banghart, Booz Allen Hamilton banghart_john@bah.com

Download ppt "Federal Desktop Core Configuration and the Security Content Automation Protocol Peter Mell, National Vulnerability Database National Institute of Standards."

Similar presentations

FDCC Implementation Efforts at Idaho National Laboratory Justin Hansen NLIT 2009.

FDCC Implementation Efforts at Idaho National Laboratory Justin Hansen NLIT 2009.
Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server 2008. Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),

Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),
Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)

Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)
National Institute of Standards and Technology (NIST) The Information Technology Lab Computer Security Division (893)

National Institute of Standards and Technology (NIST) The Information Technology Lab Computer Security Division (893)
Deploying GMP Applications Scott Fry, Director of Professional Services.

Deploying GMP Applications Scott Fry, Director of Professional Services.
Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear.

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear.
Paul Green –President and Founder of G2, Inc –We are trusted security advisors to the Federal Government and Fortune 500. –We are recognized as having.

Paul Green –President and Founder of G2, Inc –We are trusted security advisors to the Federal Government and Fortune 500. –We are recognized as having.
Cyber Security: Past and Future John M. Gilligan CERT’s 20 th Anniversary Technical Symposium Pittsburgh, PA www.gilligangroupinc.com March 10, 2009.

Cyber Security: Past and Future John M. Gilligan CERT’s 20 th Anniversary Technical Symposium Pittsburgh, PA March 10, 2009.
Lumension: Because Hope is no Strategy Andreas Müller Regional Sales Manager D/A/CH.

Lumension: Because Hope is no Strategy Andreas Müller Regional Sales Manager D/A/CH.
Secure Configuration Management (SCM)

Secure Configuration Management (SCM)
SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide

SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC Ed Bellis VP, CISO Orbitz Worldwide
NSA/DISA/NIST Security Content Automation Program Vulnerability Compliance & Measurement Stephen Quinn & Peter Mell Computer Security Division NIST.

NSA/DISA/NIST Security Content Automation Program Vulnerability Compliance & Measurement Stephen Quinn & Peter Mell Computer Security Division NIST.
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
Peter Mell and Stephen Quinn Computer Security Division NIST

Peter Mell and Stephen Quinn Computer Security Division NIST
Standardizing and Automating Security Operations Presented by: National Institute of Standards and Technology.

Standardizing and Automating Security Operations Presented by: National Institute of Standards and Technology.
1 DCS860A Emerging Technology Physical layer transparency in Cloud Computing (rev. 12-16-11)

1 DCS860A Emerging Technology Physical layer transparency in Cloud Computing (rev )
FDCC 1 August 2007 Update Matt Barrett National Institute of Standards and Technology.

FDCC 1 August 2007 Update Matt Barrett National Institute of Standards and Technology.
Trusted Internet Connections. Background Pervasive and sustained cyber attacks against the United States continue to pose a potentially devastating impact.

Trusted Internet Connections. Background Pervasive and sustained cyber attacks against the United States continue to pose a potentially devastating impact.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Information System Continuous Monitoring (ISCM)

Information System Continuous Monitoring (ISCM)

Similar presentations

Ads by Google